GPS Trackers Can Be Exploited by Hackers to Spy on Your Loved Ones
There are many products that promise to give you and your loved ones better security both in the digital and in the real world. Due to the way these devices and services work, however, they can also put you and the people you love at risk if they're not designed and tested properly. Most users don't realize this, but security experts do.
An elderly relative of Andrew Mabbit, a penetration testing specialist working for Fidus Information Security, recently received a new GPS tracking device that can also act as a panic button and can alert Mabbit and his family in case of an emergency. After doing some research, he found out that more than 10 thousand such devices have been sold and are used in the UK, with plenty more all around the world. He saw that although they are marketed under a number of different brands (including but not limited to Pebbell 2 – HoIP Telecom, Personal Alarm & GPS Tracker with Fall Alert – Unforgettable, Footprint – Anywhere Care, SureSafeGO 24/7 Connect 'Anywhere' Alarm, etc.), they are all produced by the same Chinese manufacturer. Finally, he and his colleagues found out that these GPS trackers come with a horrible security vulnerability.
How do the vulnerable GPS trackers work?
The GPS trackers connect to the cellular network via a SIM card. Every SIM card is associated with a phone number, and after correctly assuming that the SIM cards had been bought in bulk, Mabbit was able to write a simple script and get to the phone numbers of hundreds of active GPS trackers.
Interacting with the trackers is as simple as sending commands as text messages. Worryingly, the SMSs work regardless of whether or not the sender's phone number is listed as an emergency contact, but worst of all, the authentication system that is supposed to secure the device suffers from a major design flaw.
Poor implementation of a PIN-based authentication mechanism leaves the GPS trackers open for exploitation
The only way to protect the GPS trackers from unauthorized access is via a PIN-based authentication system that, for reasons that are completely unfathomable, is disabled by default. In other words, out of the box, anyone who knows the phone number associated with one of the vulnerable devices can command it remotely.
Of course, the user manual gives instructions on how to assign a PIN, and we're pretty sure that most of the people who are bothered to read it will take the time to secure the device. They should bear in mind, however, that getting around the PIN is terrifyingly easy. In a demonstration for TechCrunch, Andrew Mabbit explained how it all works.
If you have protected your grandmother's GPS tracker with a PIN, getting the location of the device would mean sending an SMS that contains the PIN followed by the "Loc" command. Most commands won't work without the PIN, but there are two exceptions.
The commands "reboot" and "reset" will be executed even if the PIN is not included. "Reboot" simply restarts the device meaning that the damage it can do is limited. "Reset", however, restores the tracker back to its default settings.
It wipes all the emergency contacts, and it reverts all the changes made to the device. It also disables the PIN authentication mechanism which turns the tracker into a sitting duck.
What can attackers do with the vulnerable GPS trackers?
As we mentioned already, the tracker responds to the "Loc" command with its precise location. It sends not only the GPS coordinates but also the speed at which it is moving, the altitude, and a handy Google Maps link that leads you directly to it.
Attackers can also get information on the battery level, the device's IMEI, and they can disable various features and alarms. Last but not least, they can turn the GPS tracker into a listening bug. Using the "L1" command, a hacker can activate the device's built-in microphone and listen to what's going on on the other end. The wearer will be none-the-wiser.
These devices are worn by the most vulnerable members of our society – the elderly and our children, and it's no secret that some businesses also use them to keep track of their workforce. The potential consequences of such an attack are, as Fidus put it, "pretty scary", and sadly, prevention is hard.
Fixing the issue won't be easy
Fidus' experts pointed out that from a purely technical perspective, patching the hole shouldn't be that difficult, especially for new devices. Turning the PIN-based system on by default and making sure that a factory reset is not possible without authentication is a good start. For added protection, vendors can also alter the underlying software so that devices don't respond to commands issued by phone numbers outside the emergency contact list.
Sadly, doing all these changes remotely is not possible which means that if the devices that have already been sold are to be secured, the vendors will need to recall them. This could be very expensive, and not surprisingly, while some of the suppliers Fidus contacted did say that they are looking into the issue, others preferred not to respond, suggesting that they could leave the trackers vulnerable.