all your gps trackers belong to us
play

All your GPS Trackers belong to Us 1 Who we are Pierre Barre, Lead - PowerPoint PPT Presentation

Sep 12, 2022 •214 likes •469 views

All your GPS Trackers belong to Us 1 Who we are Pierre Barre, Lead Security Researcher, Mobile and Telecom Lab Chaouki Kasmi, Lab Director, Mobile and Telecom Lab Eiman Al Shehhi, Security Researcher, Mobile and Telecom Lab The

  1. All your GPS Trackers belong to Us 1

  2. Who we are  Pierre Barre, Lead Security Researcher, Mobile and Telecom Lab  Chaouki Kasmi, Lab Director, Mobile and Telecom Lab  Eiman Al Shehhi, Security Researcher, Mobile and Telecom Lab  The opinions and results presented in this article are the sole responsibility of the authors.  Tests and Validation Labs, xen1thLabs, DarkMatter Group 2

  3. GPS Tracker Technology  Cheap  Using remote management without advertising it  Available everywhere  Compatible with IOS/Android 3

  4. Presentation  Infrastructure  Devices  Blackbox analysis  Information gathering (FCC ID)  Network analysis (Wireless and wired)  Reverse Engineering (hard, firmware, clients)  OWASP - webapp 4

  5. General Architecture Tracking reports GPS Satellites  Points of interaction: Radio interface • Internet (GPS/mobile network) Remote servers • Web application • Mobile application • Management protocols • Tracked Management Web Servers devices/items Servers Mobile Network Internet Data Base 5

  6. Existing researches  Web analysis – Trackmageddon (Multiple vulnerabilities in the online services of (GPS) location tracking devices)  Kang Wang, Shuhua Chen, Aimin Pan, Time and Position Spoofing with Open Source Projects  Fidus, Exploiting 10,000+ devices used by Britain’s most vulnerable 6

  7. Defining attack surfaces  Security of GPS trackers is well-known  Objectives: finding new vulnerabilities/weaknesses, having fun, hacking the planet   Exploitation: detecting trackers (2G, 2.5G, 3G and IP Network), tracking people, remotely shutdown car engines, GPS informations, BTS and eNodeB information  Attack Surfaces:  Radio – passive (2G, GPRS)  Radio – active (2G, GPRS and GPS)  Network (Layer 3!) – remote management server and custom protocols  Hardware attack - tracker  Software attack - tracker  Software attack - iOS/Android clients  Web interface (management) 7

  8. Analyzed trackers  Multiple GPS trackers bought online (Aliexpress)  Presentation of the devices  3 types of GPS / infrastructures  GPS infrastructures share the same technologies!  Chinese domination on existing solutions  2 solutions  GSM (A5/1) interception  Setup of a custom BTS  1 paper in MISC (focused on methodology)  1 scientific paper (focused on privacy) 8

  9. Passive Radio Attack  YateBTS with sgsntun interface  SIM cards (not USIM)  Live demo! Registration (using IMEI or S/N and 123456)  Creation of account in advance   Configuration using SMS  First Fail: content of all SMS sent to China (we will come back to this later)  Proprietary protocols over text messages 9

  10. Passive Radio Attack  Setup is very cheap (BladeRF, SIM cards, Internet)  Very good results in a limited time  All trackers send coordinates to IPs in China  The traffic is not encrypted and is easily identifiable  Passwords sent in clear-text, S/N used as a token  SMS configuration is generic and very dangerous  “Firewall” using a master phone number – bypassed by spoofing Caller-ID  Phone number of the tracker is supposed to be “secret” ( security/privacy) 10

  11. Passive Radio Attack – configuration using SMS 1. SMS ( Status ) is sent to tracker from 440025239 over 2G 1. Sniffing of GPRS data from the tracker: 1. IP packet to 203.130.62.29:8841 2. 690217122612463 = S/N of GPS tracker 3. +440025239 is the sender 4. Status is the content of SMS Only specific commands sent from SMS? 1. SMS (jjjj […]) is sent to tracker using 2G 2. Tracker send the content of SMS to a remote Server (203.130.62.29) 11

  12. Passive Network Attack – RE of custom protocols  No authentication \x79\x79\x00 I \xf2 [S/N-ASCII][BLOB-ASCII] \x01\x7e [BLOB-ASCII]  Traffic sent to 203.130.62.29:8841/tcp (geo-located in China)  Basic client allowing us to send forged coordinates  Where is Waldo ? Pinging 203.130.62.29 with 32 bytes of data: Reply from 203.130.62.29: bytes=32 time=9ms TTL=58 Reply from 203.130.62.29: bytes=32 time=10ms TTL=58  10ms and 6 hops ? To China ? Impossible  203.130.62.29/24 is announced by Etisalat, the largest UAE provider, and hosted in Dubai  Everything (configuration, tracking, information, phone numbers) is sent to UAE  Big trust given to the manufacturer. GDPR anyone ?  Reconfiguration of the management server using SMS = allows expats to setup a SMS forward service for no cost  12

  13. Passive Network Attack – RE of custom protocols  U-Blox module – connection to a TCP service on the 56447/tcp port: cmd=full;user=XXXXXX@gmail.com;pwd=XXXXXX;lat=22.680193;lon=114.146846;alt=0.0;pacc=100.00 u-blox a-gps server (c) 1997-2009 u-blox AG Content-Length: 2856 Content-Type: application/ubx .b..0......  The client then regularly sends information to a second server (8011 / tcp) indicating its position: *HQ,17000XXXXX,V1,115112,A, 2240.8116 ,N, 11408.8108 ,E,000.0,000.00,100119,FFFFFFFF# *HQ,17000XXXXX,NBR,094111,310,26,02,1,1000,10,23,100119,FFFFFFFF# *HQ,17000XXXXX,LINK,115112,22,0,6,0,0,100119,FFFFFFFF# *HQ,17000XXXXX,NBR,115117,310,26,02,1,1000,10,22,100119,FFFFFFFF#  Different commands can be detected according to the serial number (17000XXXXX). 2240.8116 corresponds to the latitude 22.408116 and the longitude 11.4088108. 13

  14. Active Network Attack – RE of custom protocols  There is no authentication in the protocol  We wrote a client in Perl resulting in locations in North Korea:  An attacker able to guess a serial number can send false information to the GPS management infrastructure.  Hint: this is do-able 14

  15. Active Radio Attack  GPS Spoofing – public for years  Detection of GPS trackers using SMS (custom keywords without “authentication”)  Custom spoofed SMS (“ reg my_ip ”)  Not always mandatory to spoof  New management server defined  Using `balance` to intercept and change the traffic over the Internet   balance -b ::ffff:my_ip 8841 203.130.62.29:8841  Data traffic modification on-the-fly (mitmproxy, bettercap, …)  Use a faraday cage  Don’t do this at home 15

  16. Active Radio Attack  Voice  Using the device to listen (2G)  Call-back support (by SMS)  Microphone  Movement/noise detectors  Cameras  Additional wireless interfaces  Wireless client  Scanner  RF - attack surface 16

  17. Network – attack surface  Multiple trackers – multiple remote management servers  3 GPS trackers, 3 different back-ends  Infrastructures based on a few OEM solutions  Chinese IPs but:  Located in China,  Located in Germany,  Located in UAE (open ports, banking websites, …),  Reverse Engineering of protocols: Done  Specific traffic: on the ISP side, easy to detect, extract coordinates and modify on-the-fly  APIs  Live demo 17

  18. Hardware Attack  GPS chips:  U-blox G7020  SIMCom SIM800  Support of GPS, GLONASS, QZSS, Galilleo  Flash memory (4MB)  MediaTek SOC (ARM - MT6261DA)  No protection against physical attacks  UART port  Firmware dumping  Debug interface available  Analysis (ARM)  Hidden commands found 18

  19. Software Attack  ARM dump  Loaded within IDA Pro  Nucleus RTOS  Data Line S8 Locator – hidden commands  Backdoors SMS codes  Different trackers, different OEMS, different commands different network protocols  Not all of these SMS commands seem to be functional.  SMS parsing, Quick’n’Dirty  HTTP client and custom client  Parsing prone to errors  No firmware update features 19

  20. Android/IOS Clients  Dynamic Analysis (android emulator)  Static Analysis (jadx)  Results  Authentication (login/password)  APIs access  (Lack of?) Authentication for APIs  Need an unrelated valid session  Communication over HTTP (no encryption)  http://m.999gps.net/OpenAPIV2.asmx with debug!  http://m.999gps.net/OpenAPIV2.asmx?WSDL (full description!)  Insecure Direct Object References  IDOR Already found by Trackmaggedon team in January 2018! 20

  21. Web Interface – attack surface  Web site  Live information (GPS, speed)  Replay  Geofence definition  OEM version (.NET) provided to a lot of providers of GPS products 21

  22. Web Interface – attack surface – Geofence  Authentication based on last 7 integers of the S/N  Default pwd: 123456  Geofence:  Stop/start command with a remote control (!)  Auto-shutdown of the car (!)  Alerts (SMS, push on app)  Vulnerable to IDOR  Anyone can geofence your tracker  Blindly trust the (forged) GPS information sent to the server  Good idea, very bad implementation 22

  23. Web Interface – attack surface  Web interface full of vulnerabilities  IDOR everywhere (tracker ID: 82383)  Full history of GPS tracker data  APIs  Let’s dig  Full of vulnerabilities  Same as Android/IOS  Kudos to Trackmaggedon team (pwn of 100s APIs)  Live demo  GDPR? 23

  24. Conclusion  Thanks!  Black box devices – implementations from big OEM vendor  Used everywhere (in industrial machines too)  Cell-IDs – can be used to map the critical mobile telecom infrastructure of a given country  Huge subject (including RE, network analysis, SDR, web) – a real CTF   Hope you had fun!  Still some work to do!  At xen1thLabs we are committed to uncovering new vulnerabilities that combat tomorrow’s threats today. 24

Recommend

Reducing Risk through Reliability: Providing Solar Trackers in Desert Conditions Intersolar

Reducing Risk through Reliability: Providing Solar Trackers in Desert Conditions Intersolar

Reducing Risk through Reliability: Providing Solar Trackers in Desert Conditions Intersolar Middle East, Dubai Tracking improves solar asset value Solar trackers compared to fixed-tilt +18-25% Fixed Tilt Afternoon Power Demand Peak

484 views • 20 slides
System Integration Issues System Integration Issues of DC to DC converters in of DC to DC

System Integration Issues System Integration Issues of DC to DC converters in of DC to DC

System Integration Issues System Integration Issues of DC to DC converters in of DC to DC converters in the sLHC Trackers the sLHC Trackers the sLHC Trackers the sLHC Trackers B. Allongue a , G. Blanchot a , F. Faccio a , C. Fuentes a,b , S.

308 views • 27 slides
Polygon Filling Goal intensify the pixels that belong to the polygon Issues which pixels belong

Polygon Filling Goal intensify the pixels that belong to the polygon Issues which pixels belong

Polygon Filling Goal intensify the pixels that belong to the polygon Issues which pixels belong to the polygon Approach use a (horizontal) scan line that traverses the polygon intensify the pixels along the spans (the segments of

895 views • 50 slides
Three peaks, but which 2) Measure FT-IR > peaks belong to which molecule? Crosspeaks between

Three peaks, but which 2) Measure FT-IR > peaks belong to which molecule? Crosspeaks between

2D IR EXAMPLE COMPARISON WITH FT-IR 1) Take a mixture 1 IR mode + 2 IR modes of two compounds Three peaks, but which 2) Measure FT-IR > peaks belong to which molecule? Crosspeaks between vibrations mean they belong 3) Measure 2D

179 views • 7 slides
Be.Belong.Give. Parish Town Halls October 9, 2016 Theme Be. Be whoever you are and whatever

Be.Belong.Give. Parish Town Halls October 9, 2016 Theme Be. Be whoever you are and whatever

St. Marks Episcopal Church Capitol Hill 2017 Canvass: Be.Belong.Give. Parish Town Halls October 9, 2016 Theme Be. Be whoever you are and whatever you believe. Belong. Joi us. We aet lookig to chage ou, 2017

532 views • 17 slides
Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual

Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual

Input Devices: Trackers, Navigation and Gesture Interfaces Input Devices What is Virtual Reality? A high-end user interface that involves real-time simulation and interaction through multiple sensorial channels. (vision, sound, touch,

1.61k views • 83 slides
Co-Designing Food Trackers with Dietitians: Identifying Design Opportunities for Food Tracker

Co-Designing Food Trackers with Dietitians: Identifying Design Opportunities for Food Tracker

Co-Designing Food Trackers with Dietitians: Identifying Design Opportunities for Food Tracker Customization Yuhan Luo, Peiyi Liu, Eun Kyoung Choe College of Information Studies & Human-Computer Interaction Lab University of Maryland,

1.13k views • 41 slides
Our Company Soltec specializes in the manufacture and supply of single-axis solar trackers with

Our Company Soltec specializes in the manufacture and supply of single-axis solar trackers with

Our Company Soltec specializes in the manufacture and supply of single-axis solar trackers with global operations and a workforce of over 1600 people, blending experience with innovation. Our Situation 10 GW 3.6 GW #1 LATAM 20 GW Track

694 views • 22 slides
BELONG A family support programme promoting a sense of belonging for black & minority ethnic

BELONG A family support programme promoting a sense of belonging for black & minority ethnic

BELONG A family support programme promoting a sense of belonging for black & minority ethnic children through: Cultural Confidence & Competence Anti-Bullying & Anti-Racial Bullying Education BELONG Beginnings

301 views • 18 slides
Knockin on Trackers Door: Large-Scale Automatic Analysis of Web Tracking Iskander

Knockin on Trackers Door: Large-Scale Automatic Analysis of Web Tracking Iskander

Knockin on Trackers Door: Large-Scale Automatic Analysis of Web Tracking Iskander Sanchez-Rola, Igor Santos Web Tracking It is a common practice to gather user browsing data . Web Tracking Recent studies provided a better understanding of

568 views • 24 slides
Efficient and Highly Available Peer Discovery: A Case for Independent Trackers and Gossiping

Efficient and Highly Available Peer Discovery: A Case for Independent Trackers and Gossiping

Efficient and Highly Available Peer Discovery: A Case for Independent Trackers and Gossiping Gyrgy Dn Ilias Chatzidrossos Niklas Carlsson Royal Institute of Technology (KTH) Linkping University Stockholm, Sweden Linkping, Sweden

980 views • 52 slides
Block ads, trackers and malware with Raspberry Pi and Pi-hole https://cryptoaustralia.org.au

Block ads, trackers and malware with Raspberry Pi and Pi-hole https://cryptoaustralia.org.au

Block ads, trackers and malware with Raspberry Pi and Pi-hole https://cryptoaustralia.org.au Nick Kavadias nick@cryptoaustralia.org.au Self promotion! CryptoAUSTRALIA is a not-for-profit started by security and privacy enthusiast.

1.58k views • 50 slides
All Your Rule Base Are Belong to Me Jewel H. Ward

All Your Rule Base Are Belong to Me Jewel H. Ward

All Your Rule Base Are Belong to Me Jewel H. Ward Doctoral Student, UNC-CH SILS & DICE iRODS User Mee,ng February 17-18, 2011

406 views • 15 slides
o Track finding in silicon trackers with a small number of layers R. Fr uhwirth, R.

o Track finding in silicon trackers with a small number of layers R. Fr uhwirth, R.

Intro CA Track finding at the ILD Track finding in Belle 2 Conclusions o Track finding in silicon trackers with a small number of layers R. Fr uhwirth, R. Glattauer, J. Lettenbichler, W. Mitaroff, M. Nadler Institute of High Energy

461 views • 25 slides
Detecting Technical Debt Through Issue Trackers Ke Dai MASc Student Supervised by Philippe

Detecting Technical Debt Through Issue Trackers Ke Dai MASc Student Supervised by Philippe

Detecting Technical Debt Through Issue Trackers Ke Dai MASc Student Supervised by Philippe Kruchten PhD, P.Eng, Professor Department of Electrical and Computer Engineering The University of British Columbia 1 What is Technical Debt?

347 views • 19 slides
All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg,

All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg,

All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg, Ben Karel, Benjamin Pierce, Greg Morrisett, and more) 2012-11-05 -- WG 2.8 meeting in Annapolis Information Flow Control [Fenton, 1974] Static

326 views • 18 slides
Why Are We Here? Access/ metro and backbone networks may belong to different carriers or

Why Are We Here? Access/ metro and backbone networks may belong to different carriers or

GIBSON: Global IP-Based Service-Oriented Network Ping Pan, Tom Nolle August 2006, IMS Workshop Why Are We Here? Access/ metro and backbone networks may belong to different carriers or business entities: Different technologies among

439 views • 12 slides
Diversity and National Identity Sampoorna Biswas What does it mean to belong to your

Diversity and National Identity Sampoorna Biswas What does it mean to belong to your

Diversity and National Identity Sampoorna Biswas What does it mean to belong to your country? (And important to Pakistan too) Grown Born up/lived According to Google Autocomplete Culturally/ linguistically from here 29

519 views • 27 slides
An essential device for private detectives The GPS trackers Mister Track allow you to geolocate

An essential device for private detectives The GPS trackers Mister Track allow you to geolocate

An essential device for private detectives The GPS trackers Mister Track allow you to geolocate and track your target in real time Tracking mode allows real-time tracking of your vehicle or by programming a position for 5 seconds to 1 hour.

470 views • 11 slides
A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years

A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years

A Community Where You Belong Laying The Foundation For The Next 100 Years Our First 100 Years The Indiana Masonic Home was established to care for widows and orphaned children of Masons in 1915. Through the years, the community grew and demand

402 views • 25 slides
1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To

1 Wendell Crenshaw Technologies presents 1 2 Tumbleweed 2 All Your Baseband Are Belong To Us over-the-air exploitation of memory corruptions in GSM software stacks Ralf-Philipp Weinmann Laboratory for Algorithmics, Cryptology &

737 views • 45 slides
MICE: The Trackers and Magnets Melissa Uchida Imperial College London NuFACT 2015 What is Muon

MICE: The Trackers and Magnets Melissa Uchida Imperial College London NuFACT 2015 What is Muon

MICE: The Trackers and Magnets Melissa Uchida Imperial College London NuFACT 2015 What is Muon Ionisation Cooling? A muon beam loses both transverse and longitudinal momentum by ionisation when passed through an `absorber' The lost

674 views • 51 slides
Chapter 3 Business Organizations Economics and You Do you work at a business? Belong to a

Chapter 3 Business Organizations Economics and You Do you work at a business? Belong to a

Chapter 3 Business Organizations Economics and You Do you work at a business? Belong to a church? Participate in a club? Chances are these institutions play a significant role in your life. Click the Speaker button to listen to Economics

532 views • 30 slides
All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring

All Your Cluster-Grids Are Belong to Us: Monitoring the (in)Security of Infrastructure Monitoring Systems Andrei Costin EURECOM, France 1 st Workshop on Security & Privacy in the Cloud (SPC) 30 Sep 2015, Florence Italy Agenda

640 views • 63 slides

More recommend