Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

4/22/2011
10:05 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Weaponizing GPS Tracking Devices

Researcher demonstrates how he was able to easily turn Zoombak personal GPS devices against their owners

Those low-cost embedded tracking devices in your smartphone or those personal GPS devices that track the whereabouts of your children, car, pet, or shipment can easily be intercepted by hackers, who can then pinpoint their whereabouts, impersonate them, and spoof their physical location, a researcher has discovered.

Security researcher Don Bailey at SOURCE Boston today disclosed the newest phase of his research on the lack of security in embedded devices, demonstrating how he is able to hack vendor Zoombak's personal GPS locator devices in order to find, target, and impersonate the user or equipment rigged with these consumer-focused devices. Bailey, a security consultant with iSEC Partners, decided to call out the widely available products from Zoombak after the vendor and its parent company Securus Inc. didn't respond when he alerted them about the security weaknesses. Mitigating these attacks would only require a few simple changes to the product, he says. Meanwhile, the threat is real, he says. "Anyone with a little hardware knowledge could reverse-engineer this," he says. "Children are physically at [risk] because these devices can be turned into weapons."

Bailey also released tools today for each of the three attacks he demonstrated at SOURCE Boston.

"Embedded devices are low-cost, easy to use, and easy to debug. And the security landscape is very small," Bailey says. "There is very little capability for integrating secure communications on the devices and ensuring that it's your code executing on there."

The underlying issue is that the low-cost and rapid commoditization of these embedded systems precludes their being properly secured. "There's a low entry point for people to develop them, so you have a serious problem because new developers and new startups don't have an understanding of security. It's an insecure product by default," he says.

Embedded system security is tricky in that there are so many moving parts in the final products, including baseband, GPS firmware, application firmware, and SIM software, according to Bailey.

It's not just consumer GPS tracking devices that are vulnerable, either. Bailey says he was also able to hack server SCADA embedded systems. "I was able to remotely compromise the box in its entirety" via the microcontroller on it, he says.

With the Zoombak device, Bailey was able to discover the tracking devices, profile them, using what he calls "war texting," to intercept their location. Zoombak uses a Web 2.0 interface that provides a map showing the GPS-equipped person or payload's physical location. The devices receive commands via SMS text messages.

In the first attack, Bailey forced the device to send him its physical location using techniques to grab the GPS coordinates and local cell tower information. "I can force those devices to bypass the manufacturer's controls and give me their information and they have no idea that I've intercepted their location," he says.

Once he fingerprinted the device, he can determine just what it is. "I know if it's a semi, a mail van, or a teenager driving the family car just by watching the vehicle for a certain period of time. I can use traffic cameras on Google satellite," he says. That would leave the GPS-outfitted person or payload prone to physical attack, he says.

Bailey was also able to impersonate the Zoombak personal GPS tracking device. "I use it as a weapon to fake the location data. If it's a truck on I-70, I can take the device and force it to send false location to the server and meantime, could hijack the truck," he explains. Zoombak's command and control channel is in the clear, unencrypted.

These devices could be locked down with some type of PKI on the microcomputer to encrypt the communications between the device and its server, Bailey says. "I can just sniff the line and see all of the data in plain text. I shouldn't be able to do that so easily; it's pretty ridiculous," he says.

Another protection would be to ensure that when a device on a 3G network that it cannot interact with other 3g devices: it should only be able to speak with the manufacturer's server, he says. And he suggests network partititioning, which also would help secure these devices.

Zoombak had not responded to press inquiries as of this posting.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
5 Ways to Up Your Threat Management Game
Wayne Reynolds, Advisory CISO, Kudelski Security,  2/26/2020
Exploitation, Phishing Top Worries for Mobile Users
Robert Lemos, Contributing Writer,  2/28/2020
Kr00k Wi-Fi Vulnerability Affected a Billion Devices
Robert Lemos, Contributing Writer,  2/26/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3006
PUBLISHED: 2020-02-28
On the QFX3500 and QFX3600 platforms, the number of bytes collected from the RANDOM_INTERRUPT entropy source when the device boots up is insufficient, possibly leading to weak or duplicate SSH keys or self-signed SSL/TLS certificates. Entropy increases after the system has been up and running for so...
CVE-2015-5361
PUBLISHED: 2020-02-28
Background For regular, unencrypted FTP traffic, the FTP ALG can inspect the unencrypted control channel and open related sessions for the FTP data channel. These related sessions (gates) are specific to source and destination IPs and ports of client and server. The design intent of the ftps-extensi...
CVE-2020-6803
PUBLISHED: 2020-02-28
An open redirect is present on the gateway's login page, which could cause a user to be redirected to a malicious site after logging in.
CVE-2020-6804
PUBLISHED: 2020-02-28
A reflected XSS vulnerability exists within the gateway, allowing an attacker to craft a specialized URL which could steal the user's authentication token. When combined with CVE-2020-6803, an attacker could fully compromise the system.
CVE-2019-4301
PUBLISHED: 2020-02-28
BigFix Self-Service Application (SSA) is vulnerable to arbitrary code execution if Javascript code is included in Running Message or Post Message HTML.