Security Now 1052: Global Cellphone Tracking - Checkout.com Fights Back

Date: November 19, 2025
Hosts: Steve Gibson & Leo Laporte
Theme: A deep dive into global cellphone tracking tactics exploiting mobile network protocols—with news on Apple’s Digital ID, Google’s private AI compute, security developments, and more.

Episode Overview

This week, Steve and Leo examine the disturbing reality of global cellphone tracking—not through malware, but by exploiting weak foundational protocols still at the heart of the world’s mobile phone infrastructure. In addition, they review Apple’s new digital ID for iPhones, discuss Google’s “Private AI Compute” cloud offerings, highlight a bold stand against ransomware by checkout.com, and touch on developments in authentication and operating system updates.

Key Discussion Points & Insights

1. Apple Digital ID: Passports in Your iPhone Wallet

[26:13 – 44:00]

• Apple’s New Feature: On iOS 26, users can now add their US passport as a Digital ID to their Apple Wallet, expanding beyond digital driver’s licenses.
• Setup Process (Steve's Experience):
  • Scan the passport’s photo page with iPhone camera.
  • Acquire data from the passport’s embedded RFID chip (phone vibrates to indicate success).
  • “Proof of life”: Face scan, eye movement, smile, and random movements to confirm liveness—not just a spoofable photo.
  • Result: Digital ID is available in Apple Wallet, but limited to one device at a time.
• Current Utility:
  • Accepted at TSA checkpoints in 250+ US airports (domestic only, not for international travel).
  • Foundations laid for privacy-preserving age verification and future identity assertions (e.g., "I'm over 18," without revealing more).
  • If you lose access to the device, you cannot keep the same ID on another until it is removed from the first.
• Quote (Steve):

  “Apple kind of slipped this one in under the radar… Now I have a passport-authenticated, government-issued identity in this new Digital ID.” [26:38]

• Limitations:
  • Not a full replacement for a physical passport.
  • Usage is currently limited; universal acceptance and online privacy-preserving assertions await broader industry standards.
• Apple’s Approach: Focus on privacy and security; biometric and device binding measures to prevent spoofing.
• Notable Observations:
  • Steve confirmed you cannot have the Digital ID on multiple devices.
  • Setup process randomizes proof-of-life requirements (e.g., open mouth, look down, etc.) for extra security.

2. Checkout.com Refuses Ransom, Invests in Security

[44:08 – 47:57]

• Incident: Shiny Hunters extortion gang compromised an old, third-party cloud file storage (used pre-2020), affecting <25% of current merchants.
• Checkout.com’s Response:
  • Full transparency: "This was our mistake and we take full responsibility."
  • Clear on impact—no merchant funds or card numbers exposed.
  • Refused ransom payment; instead, donated the equivalent sum to university cybersecurity research at Carnegie Mellon and Oxford.
• Quote (Steve):

  “This is the way to handle a data breach… Mariano’s donation is meant to have the effect of backfiring on the attackers.” [47:47]

3. Google’s Private AI Compute: Security & Trust in the Cloud

[51:57 – 62:32]

• Overview: Google introduces “Private AI Compute,” promising powerful Gemini-model AI capabilities in the cloud while keeping personal data “private to you… not even Google.”
• Key Claims:
  • Data processed is as secure as on-device computation, enabled by “Titanium Intelligence Enclaves.”
  • Remote attestation and encryption used to establish a “sealed cloud environment.”
• Skepticism & Analysis:
  • Leo: “It’s in transit anytime it’s going from one point to another.” [57:28]
  • Steve: “Everything we know tells us that it cannot be as secure [as on-device]… But is it secure enough?”
  • Best fit for time-shared, bursty computational needs (AI workloads).
  • For highly sensitive data, local compute is still best; for typical/personal workloads, Google’s track record could be sufficient.
• Market perspective: Brand reputation in security is key; Google has not had any reported breaches of this nature.

4. Russia’s New SIM Tracking Measures

[94:15 – 99:08]

• Context: Russia temporarily suspends mobile internet/SMS for 24 hours on phones returning from abroad or unused for 72 hours.
• Purpose: Prevent Ukrainian drone attacks using "fresh" SIM cards as command-and-control or navigation aids.
• Mechanism: Mobile users can restore access by completing a CAPTCHA via telecom operator; voice calls remain unaffected.
• Quote (Steve):

  “Pretty clever idea… It’s better than getting blown up. But… how does this prevent an enemy drone from using cell towers for navigation?” [97:31]

5. Global Cellphone Tracking: The Danger Is in the Network

[144:27 – 175:57]

How the Exploit Works:

• Company Profiled: First WAP (Jakarta-based, European-run).
• Product: Altimedes—a tool for location profiling of any phone number, globally, without malware or user knowledge.
  • Can perform:
    • Location tracking
    • SMS and call interception
    • Spoofing messages
    • Attacks on encrypted messaging apps (claimed)
• Discovery: Researchers analyzed a leaked 1.5 million-row data set showing huge-scale successful tracking.
• Targets included: Journalists, activists (including those later assassinated), business people.
• Mechanism Exploited:
  • SS7 Protocol: Decades-old telecommunications protocol core to global mobile networking.
    • Vulnerability: Lacks authentication, allowing any party with network access to send queries (e.g., "Where is this phone number right now?") and receive precise routing info (which cell tower).
    • Used to map cellphone towers to locations, offering granular tracking especially in cities.
  • No malware needed: Network-level tracking can be performed transparently to user and device.
• Market & Abuse:
  • First WAP and similar companies lease access from legitimate telecom operators (e.g., Liechtenstein Telecom) and route mass surveillance queries worldwide.
  • Many carriers try to combat abuse with “firewalls,” but it is difficult to spot malicious queries masquerading as legitimate.
• Implications:
  • Switching to 4G/5G helps somewhat, but backward compatibility ensures SS7’s continued relevance.
  • As long as your phone is on and connected, its approximate location can be tracked globally.
• Only Defense: Airplane mode, disabling cellular radio, or using “burner” devices for sensitive activity.

Memorable Quotes:

• Steve:

  “It is then possible to track their global movements with the granularity of cell phone towers. So, wow… no amount of cell phone hygiene will prevent this tracking. Nothing can prevent it. It’s part of the fabric of the cellular radio-based system we all use today.” [175:14]

• Leo:

  “You don’t even need a Stingray, you just lease a legit [global title].” [167:38]

• Lighthouse Reports (read by Steve):

  “It was never designed with security in mind.” [163:09]

• Advice:

  “Switching a phone to airplane mode or completely switching off the cellular radio is the only way to disappear.” [175:07]

Additional Notable Segments

Picture of the Week: Refactoring Code

[10:28 – 26:09]

• Funny subway pipe photo: An overly complex solution to avoid moving a sign—used as a metaphor for when software projects desperately need refactoring.
• Code Refactoring Discussion: Steve and Leo reflect on the art and satisfaction of cleaning up code, why ‘naming things well’ matters, and how legacy codebases accrue “barnacles.”

Google Backtracks on Developer Registration

[71:09 – 76:45]

• Google modifies its earlier stance requiring every Android developer to register and pay; now allowing hobbyists and “advanced” users a path for sideloading unverified apps but with strong warnings.
• Dedicated “advanced flow” planned for sideloaders (like F-Droid users) with prominent risk disclosure.

Passkey APIs in Windows 11; Integration by 1Password & Bitwarden

[80:34 – 94:12]

• November update brings native Passkey manager support to Windows 11.
• 1Password & Bitwarden are launch partners, enabling deeper OS integration for passwordless logins, synced across platforms.
• Microsoft’s own password manager now appears as a peer plugin in the new system.

Listener Feedback & Mini-Segments

[100:53 – 142:00]

• Blacklists & Deliverability Tools: dmarcly.com tip for testing email domain deliverability.
• Windows 10 Updates: Clarification on continued updates—latest patch ensures ESU (Extended Security Updates) enrollment works, not new security fixes.
• AI Shopping Assistants: Different LLMs suggest different products; each creates its own “mini market” based on training bias.
• Registry Tweaks: How to disable the Windows “Run” dialog to help family/friends avoid recent phishing exploits.

Notable Quotes & Timestamps

• “Apple will be able to generate secure, privacy-preserving assertions… such as ‘over 18’ without revealing a single additional fact about a device’s user.”
  — Steve Gibson [34:41]

• “We will not be extorted by criminals. We will not pay this ransom.”
  — Mariano Albera, CTO of Checkout.com [45:12]

• “Everything we know tells us that it cannot be as secure. Right? I mean…it’s not going to be. Nothing in the cloud is going to be as secure as on-premise.”
  — Steve Gibson [57:28]

• “It’s likely to have the tendency, not surprisingly, to false positive somewhat, but Russian citizens will just need to put up with that inconvenience. You know, it’s probably better than getting blown up.”
  — Steve Gibson [97:31]

• “It was never designed with security in mind.”
  — Lighthouse Reports / Steve Gibson narrating [163:09]

• “No amount of cell phone hygiene will prevent this tracking. Nothing can prevent it. It’s part of the fabric of the cellular radio based system we all use today.”
  — Steve Gibson [175:14]

Timestamps for Critical Segments

• Apple Digital ID: 26:13 – 44:00
• Checkout.com Anti-Ransom Response: 44:08 – 47:57
• Google Private AI Compute: 51:57 – 62:32
• Global Cellphone Tracking (Main Topic): 144:27 – 175:57
• Picture of the Week / Refactoring Code: 10:28 – 26:09
• Passkey Support in Windows 11: 80:34 – 94:12

Language & Tone

• Conversational, curious, thorough, occasionally mocking bad security practices (“It was never designed with security in mind!”).
• Engineering and privacy-oriented skepticism; heavy emphasis on granular technical explanations.

Conclusion

Key Takeaway:
If you carry a cellphone, you can be tracked globally—no malware needed. The weakest link is still at the foundation: outdated, insecure protocols (like SS7) on which billions rely, unpatched and open to systematic abuse. Technical mitigations at the app or device level provide no defense against these network-level attacks. Meanwhile, advances in digital identity management, passwordless logins, and organizational security response give hope in other corners of the digital world.

Advice:
For sensitive contexts—turn your phone off or use throwaway devices. For everything else, recognize the privacy trade-offs we all make for always-on connectivity.

Resources & Further Reading:

• Lighthouse Reports on First WAP and Altimedes leak
• Lifehacker on Apple's Digital ID
• Google on Private AI Compute

Tune in next week for more in-depth analysis, digital security news, and practical insights!