Haredi users of 'non-kosher' phones revealed through security loophole
Orange’s system can be used to identify individuals who are using smartphones, despite the strict prohibition against them within the ultra-Orthodox community.
A system developed by the Orange cellular phone company can be exploited to reveal the identities of various users of smartphones, among them ultra-Orthodox owners of the devices, which are considered impure and “non-kosher.”
Amitai Dan, an information security expert and founder of a company called Cybermoon, discovered the system. It allows information to be gathered on cell phones linked to various Israeli networks, he says, as well as on devices installed in vehicles.
After Dan’s discovery, Orange has restricted usage of the system to those who have a special user name and password.
The technology in question, says Dan, was developed as part of a customer service platform for Orange’s book-selling scheme, and can be used to identify the particular cellular device being used: The Orange – portalXml Web Service, as it is called, allows anyone with access to it to conduct searches according to phone numbers.
Spokesmen for Orange say the system was not available to the greater public via its website, nor from any links appearing there. Dan, however, pointed out that he was able to access it through a simple Google search for “msisdn.co.ilm,” a term associated with cell-phone numbers.
In effect, Dan discovered that by conducting this simple search, anyone who knows someone else’s phone number can figure out what type of device they are using.
This information, he explains, can be used by hackers in various situations. Someone attempting to break into someone’s else's cell phone, for example, will have a much easier time if they know the exact model of the device in advance.
The data collected via the system is also helpful in identifying users of the Voyager device that is generally installed in cars, due to its unique user signature, which has made it especially vulnerable to hackers.
The usual practice in organizations and companies of using an ordinal series of phone numbers for employees that differ by only the last one or two digits also make it easier for hackers trying to target them, Dan adds.
“The trend in large organizations is that the entire company uses a similar set of phone numbers, putting all of the devices owned by the company at higher risk, and now we can more easily understand why. When there is one account number for all the workers of a company, it can be exploited by hackers using the method I described,” he says.
But perhaps the most problematic aspect of Dan’s discovery involves the problematic relationship between technology and the values of ultra-Orthodox society: Orange’s system can be used to identify individuals who are using smartphones, despite the strict prohibition against them within that sector of society.
Many leading ultra-Orthodox rabbis have harshly condemned smartphones, and declare them forbidden, or even call for them to be destroyed. Indeed, Rabbi Chaim Kanievsky, a leading rabbi of local Lithuanian Haredi sects, has called on his followers to burn iPhones, and even ruled that those who own smartphones cannot serve as witnesses at religious ceremonies.
“Anyone who has an iPhone, open [access to the] Internet or anything similar, is disqualified as a witness for marriage or divorce, if such a person was a witness, they are retroactively disqualified, the divorce or marriage needs to be redone,” according to the ruling.
The American ultra-Orthodox community has also been waging a battle against smartphones. Recently, there have been reports of a hotline that has been established in Williamsburg, Brooklyn, to report on yeshiva students who are using the forbidden devices.
For its part, the Partner Communications Company, which operates Orange, has stated with respect to the system Dan discovered: “This was an isolated incident that was handled immediately upon discovery, over two months ago. It must be stated that the link in question was not part of the company’s website, and that it can only be accessed with specific user-data. Partner makes extra efforts to follow all information-security protocols to secure customers’ data, and does everything possible to prevent exploitation of the network.”
Like us on Facebook and get articles directly in your news feed