1

All your GPS Trackers belong to Us

2

Who we are

Pierre Barre, Lead Security Researcher, Mobile and Telecom Lab

Chaouki Kasmi, Lab Director, Mobile and Telecom Lab

Eiman Al Shehhi, Security Researcher, Mobile and Telecom Lab

The opinions and results presented in this article are the sole responsibility of the authors.

Tests and Validation Labs, xen1thLabs, DarkMatter Group

3

GPS Tracker Technology

Cheap

Using remote management without advertising it

Available everywhere

Compatible with IOS/Android

4

Presentation

Infrastructure

Devices

Blackbox analysis

Information gathering (FCC ID)

Network analysis (Wireless and wired)

Reverse Engineering (hard, firmware, clients)

OWASP - webapp

5

General Architecture

Points of interaction:

• Radio interface (GPS/mobile network)

• Remote servers• Web application • Mobile application • Management protocols

Internet

Internet

GPS Satellites

Mobile Network

Tracked devices/items

Tracking reports

Management Servers

Data Base

Web Servers

6

Existing researches

Web analysis – Trackmageddon (Multiple vulnerabilities in the online services of (GPS)

location tracking devices)

Kang Wang, Shuhua Chen, Aimin Pan, Time and Position Spoofing with Open Source Projects

Fidus, Exploiting 10,000+ devices used by Britain’s most vulnerable

7

Defining attack surfaces

Security of GPS trackers is well-known

Objectives: finding new vulnerabilities/weaknesses, having fun, hacking the planet

Exploitation: detecting trackers (2G, 2.5G, 3G and IP Network), tracking people,

remotely shutdown car engines, GPS informations, BTS and eNodeB information

Attack Surfaces:

Radio – passive (2G, GPRS)

Radio – active (2G, GPRS and GPS)

Network (Layer 3!) – remote management server and custom protocols

Hardware attack - tracker

Software attack - tracker

Software attack - iOS/Android clients

Web interface (management)

8

Analyzed trackers

Multiple GPS trackers bought online (Aliexpress)

Presentation of the devices

3 types of GPS / infrastructures

GPS infrastructures share the same technologies!

Chinese domination on existing solutions

2 solutions

GSM (A5/1) interception

Setup of a custom BTS

1 paper in MISC (focused on methodology)

1 scientific paper (focused on privacy)

9

Passive Radio Attack

YateBTS with sgsntun interface

SIM cards (not USIM)

Live demo!

Registration (using IMEI or S/N and 123456)

Creation of account in advance

Configuration using SMS

First Fail: content of all SMS sent to China (we will come back to this later)

Proprietary protocols over text messages

10

Passive Radio Attack

Setup is very cheap (BladeRF, SIM cards, Internet)

Very good results in a limited time

All trackers send coordinates to IPs in China

The traffic is not encrypted and is easily identifiable

Passwords sent in clear-text, S/N used as a token

SMS configuration is generic and very dangerous

“Firewall” using a master phone number – bypassed by spoofing Caller-ID

Phone number of the tracker is supposed to be “secret” (security/privacy)

11

Passive Radio Attack – configuration using SMS

1. SMS (Status) is sent to tracker from 440025239

over 2G

1. Sniffing of GPRS data from the tracker:

1. IP packet to 203.130.62.29:8841

2. 690217122612463 = S/N of GPS tracker

3. +440025239 is the sender

4. Status is the content of SMS

Only specific commands sent from SMS?

1. SMS (jjjj[…]) is sent to tracker using 2G

2. Tracker send the content of SMS to a remote

Server (203.130.62.29)

12

Passive Network Attack – RE of custom protocols

No authentication

\x79\x79\x00 I \xf2 [S/N-ASCII][BLOB-ASCII] \x01\x7e [BLOB-ASCII]

Traffic sent to 203.130.62.29:8841/tcp (geo-located in China)

Basic client allowing us to send forged coordinates

Where is Waldo ?

Pinging 203.130.62.29 with 32 bytes of data:

Reply from 203.130.62.29: bytes=32 time=9ms TTL=58

Reply from 203.130.62.29: bytes=32 time=10ms TTL=58

10ms and 6 hops ? To China ? Impossible

203.130.62.29/24 is announced by Etisalat, the largest UAE provider, and hosted in Dubai

Everything (configuration, tracking, information, phone numbers) is sent to UAE

Big trust given to the manufacturer. GDPR anyone ?

Reconfiguration of the management server using SMS = allows expats to setup a SMS forward service

for no cost

13

Passive Network Attack – RE of custom protocols

U-Blox module – connection to a TCP service on the 56447/tcp port:

cmd=full;user=XXXXXX@gmail.com;pwd=XXXXXX;lat=22.680193;lon=114.146846;alt=0.0;pacc=100.00

u-blox a-gps server (c) 1997-2009 u-blox AG

Content-Length: 2856

Content-Type: application/ubx

.b..0......

The client then regularly sends information to a second server (8011 / tcp) indicating its

position:

*HQ,17000XXXXX,V1,115112,A,2240.8116,N,11408.8108,E,000.0,000.00,100119,FFFFFFFF#

*HQ,17000XXXXX,NBR,094111,310,26,02,1,1000,10,23,100119,FFFFFFFF#

*HQ,17000XXXXX,LINK,115112,22,0,6,0,0,100119,FFFFFFFF#

*HQ,17000XXXXX,NBR,115117,310,26,02,1,1000,10,22,100119,FFFFFFFF#

Different commands can be detected according to the serial number (17000XXXXX).

2240.8116 corresponds to the latitude 22.408116 and the longitude 11.4088108.

14

Active Network Attack – RE of custom protocols

There is no authentication in the protocol

We wrote a client in Perl resulting in locations in North Korea:

An attacker able to guess a serial number can

send false information to the GPS management

infrastructure.

Hint: this is do-able

15

Active Radio Attack

GPS Spoofing – public for years

Detection of GPS trackers using SMS (custom keywords without “authentication”)

Custom spoofed SMS (“reg my_ip”)

Not always mandatory to spoof

New management server defined

Using `balance` to intercept and change the traffic over the Internet

balance -b ::ffff:my_ip 8841 203.130.62.29:8841

Data traffic modification on-the-fly (mitmproxy, bettercap, …)

Use a faraday cage

Don’t do this at home

16

Active Radio Attack

Voice

Using the device to listen (2G)

Call-back support (by SMS)

Microphone

Movement/noise detectors

Cameras

Additional wireless interfaces

Wireless client

Scanner

RF - attack surface

17

Network – attack surface

Multiple trackers – multiple remote management servers

3 GPS trackers, 3 different back-ends

Infrastructures based on a few OEM solutions

Chinese IPs but:

Located in China,

Located in Germany,

Located in UAE (open ports, banking websites, …),

Reverse Engineering of protocols: Done

Specific traffic: on the ISP side, easy to detect, extract coordinates and modify on-the-fly

APIs

Live demo

18

Hardware Attack

GPS chips:

U-blox G7020

SIMCom SIM800

Support of GPS, GLONASS, QZSS, Galilleo

Flash memory (4MB)

MediaTek SOC (ARM - MT6261DA)

No protection against physical attacks

UART port

Firmware dumping

Debug interface available

Analysis (ARM)

Hidden commands found

19

Software Attack

ARM dump

Loaded within IDA Pro

Nucleus RTOS

Data Line S8 Locator – hidden commands

Backdoors SMS codes

Different trackers, different OEMS, different commands

different network protocols

Not all of these SMS commands seem to be functional.

SMS parsing, Quick’n’Dirty

HTTP client and custom client

Parsing prone to errors

No firmware update features

20

Android/IOS Clients

Dynamic Analysis (android emulator)

Static Analysis (jadx)

Results

Authentication (login/password)

APIs access

(Lack of?) Authentication for APIs

Need an unrelated valid session

Communication over HTTP (no encryption)

http://m.999gps.net/OpenAPIV2.asmx with debug!

http://m.999gps.net/OpenAPIV2.asmx?WSDL (full description!)

Insecure Direct Object References

IDOR Already found by Trackmaggedon team in January 2018!

21

Web Interface – attack surface

Web site

Live information (GPS, speed)

Replay

Geofence definition

OEM version (.NET) provided to a lot of providers of GPS

products

22

Web Interface – attack surface – Geofence

Authentication based on last 7 integers of the S/N

Default pwd: 123456

Geofence:

Stop/start command with a remote control (!)

Auto-shutdown of the car (!)

Alerts (SMS, push on app)

Vulnerable to IDOR

Anyone can geofence your tracker

Blindly trust the (forged) GPS information

sent to the server

Good idea, very bad implementation

23

Web Interface – attack surface

Web interface full of vulnerabilities

IDOR everywhere (tracker ID: 82383)

Full history of GPS tracker data

APIs

Let’s dig

Full of vulnerabilities

Same as Android/IOS

Kudos to Trackmaggedon team (pwn of 100s APIs)

Live demo

GDPR?

24

Conclusion

Thanks!

Black box devices – implementations from big OEM vendor

Used everywhere (in industrial machines too)

Cell-IDs – can be used to map the critical mobile telecom infrastructure of a given country

Huge subject (including RE, network analysis, SDR, web) – a real CTF

Hope you had fun!

Still some work to do!

At xen1thLabs we are committed to uncovering new vulnerabilities that combat tomorrow’s

threats today.

25

References

V. Stykas, M. Gruhn, Multiple vulnerabilities in the online services of (GPS) location tracking devices, [online] https://0x0.li/trackmageddon/

Kang Wang, Shuhua Chen, Aimin Pan, Time and Position Spoofing with Open Source Projects, BlackHat Europe 2015, Amsterdam, NL, [online] https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf

https://github.com/osqzss/gps-sdr-sim

302 GPS TRACKER, [online]

https://fccid.io/2AA64-302/User-Manual/User-Manual-3470390

YateBTS GSM basestation - Open Source Software, [online] https://yatebts.com/open_source/#svn

https://github.com/skylot/jadx

GPS tracking vulnerabilities leave millions of products at risk By Steve Ragan, Senior Staff Writer, CSO | JANUARY 02, 2018

https://www.csoonline.com/article/3245312/gps-tracking-vulnerabilities-leave-millions-of-products-at-risk.html

security issue in kids/ elderly tracking watches

https://fil.forbrukerradet.no/wp-content/uploads/2017/10/watchout-rapport-october-2017.pdf

https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/