[PPT] - All your GPS Trackers belong to Us 1 Who we are Pierre Barre, Lead PowerPoint Presentation

SLIDE 1

1

All your GPS Trackers belong to Us

SLIDE 2

2

Who we are

Pierre Barre, Lead Security Researcher, Mobile and Telecom Lab
Chaouki Kasmi, Lab Director, Mobile and Telecom Lab
Eiman Al Shehhi, Security Researcher, Mobile and Telecom Lab
The opinions and results presented in this article are the sole responsibility of the authors.
Tests and Validation Labs, xen1thLabs, DarkMatter Group

SLIDE 3

3

GPS Tracker Technology

Cheap
Using remote management without advertising it
Available everywhere
Compatible with IOS/Android

SLIDE 4

4

Presentation

Infrastructure
Devices
Blackbox analysis
Information gathering (FCC ID)
Network analysis (Wireless and wired)
Reverse Engineering (hard, firmware, clients)
OWASP - webapp

SLIDE 5

5

General Architecture

Points of interaction:
Radio interface

(GPS/mobile network)

Remote servers
Web application
Mobile application
Management protocols

Internet Internet

GPS Satellites Mobile Network Tracked devices/items Tracking reports Management Servers Data Base Web Servers

SLIDE 6

6

Existing researches

Web analysis – Trackmageddon (Multiple vulnerabilities in the online services of (GPS)

location tracking devices)

Kang Wang, Shuhua Chen, Aimin Pan, Time and Position Spoofing with Open Source Projects
Fidus, Exploiting 10,000+ devices used by Britain’s most vulnerable

SLIDE 7

7

Defining attack surfaces

Security of GPS trackers is well-known
Objectives: finding new vulnerabilities/weaknesses, having fun, hacking the planet 
Exploitation: detecting trackers (2G, 2.5G, 3G and IP Network), tracking people,

remotely shutdown car engines, GPS informations, BTS and eNodeB information

Attack Surfaces:
Radio – passive (2G, GPRS)
Radio – active (2G, GPRS and GPS)
Network (Layer 3!) – remote management server and custom protocols
Hardware attack - tracker
Software attack - tracker
Software attack - iOS/Android clients
Web interface (management)

SLIDE 8

8

Analyzed trackers

Multiple GPS trackers bought online (Aliexpress)
Presentation of the devices
3 types of GPS / infrastructures
GPS infrastructures share the same technologies!
Chinese domination on existing solutions
2 solutions
GSM (A5/1) interception
Setup of a custom BTS
1 paper in MISC (focused on methodology)
1 scientific paper (focused on privacy)

SLIDE 9

9

Passive Radio Attack

YateBTS with sgsntun interface
SIM cards (not USIM)
Live demo!
Registration (using IMEI or S/N and 123456)
Creation of account in advance
Configuration using SMS
First Fail: content of all SMS sent to China (we will come back to this later)
Proprietary protocols over text messages

SLIDE 10

10

Passive Radio Attack

Setup is very cheap (BladeRF, SIM cards, Internet)
Very good results in a limited time
All trackers send coordinates to IPs in China
The traffic is not encrypted and is easily identifiable
Passwords sent in clear-text, S/N used as a token
SMS configuration is generic and very dangerous
“Firewall” using a master phone number – bypassed by spoofing Caller-ID
Phone number of the tracker is supposed to be “secret” (security/privacy)

SLIDE 11

11

Passive Radio Attack – configuration using SMS

1. SMS (Status) is sent to tracker from 440025239
ver 2G
1. Sniffing of GPRS data from the tracker:
1. IP packet to 203.130.62.29:8841
2. 690217122612463 = S/N of GPS tracker
3. +440025239 is the sender
4. Status is the content of SMS

Only specific commands sent from SMS?

1. SMS (jjjj[…]) is sent to tracker using 2G
2. Tracker send the content of SMS to a remote

Server (203.130.62.29)

SLIDE 12

12

Passive Network Attack – RE of custom protocols

No authentication

\x79\x79\x00 I \xf2 [S/N-ASCII][BLOB-ASCII] \x01\x7e [BLOB-ASCII]

Traffic sent to 203.130.62.29:8841/tcp (geo-located in China)
Basic client allowing us to send forged coordinates
Where is Waldo ?

Pinging 203.130.62.29 with 32 bytes of data: Reply from 203.130.62.29: bytes=32 time=9ms TTL=58 Reply from 203.130.62.29: bytes=32 time=10ms TTL=58

10ms and 6 hops ? To China ? Impossible
203.130.62.29/24 is announced by Etisalat, the largest UAE provider, and hosted in Dubai
Everything (configuration, tracking, information, phone numbers) is sent to UAE
Big trust given to the manufacturer. GDPR anyone ?
Reconfiguration of the management server using SMS = allows expats to setup a SMS forward service

for no cost 

SLIDE 13

13

Passive Network Attack – RE of custom protocols

U-Blox module – connection to a TCP service on the 56447/tcp port:

The client then regularly sends information to a second server (8011 / tcp) indicating its

position:

*HQ,17000XXXXX,V1,115112,A,2240.8116,N,11408.8108,E,000.0,000.00,100119,FFFFFFFF# *HQ,17000XXXXX,NBR,094111,310,26,02,1,1000,10,23,100119,FFFFFFFF# *HQ,17000XXXXX,LINK,115112,22,0,6,0,0,100119,FFFFFFFF# *HQ,17000XXXXX,NBR,115117,310,26,02,1,1000,10,22,100119,FFFFFFFF#

Different commands can be detected according to the serial number (17000XXXXX).

2240.8116 corresponds to the latitude 22.408116 and the longitude 11.4088108.

SLIDE 14

14

Active Network Attack – RE of custom protocols

There is no authentication in the protocol
We wrote a client in Perl resulting in locations in North Korea:
An attacker able to guess a serial number can

send false information to the GPS management infrastructure.

Hint: this is do-able

SLIDE 15

15

Active Radio Attack

GPS Spoofing – public for years
Detection of GPS trackers using SMS (custom keywords without “authentication”)
Custom spoofed SMS (“reg my_ip”)
Not always mandatory to spoof
New management server defined
Using `balance` to intercept and change the traffic over the Internet 
balance -b ::ffff:my_ip 8841 203.130.62.29:8841
Data traffic modification on-the-fly (mitmproxy, bettercap, …)
Use a faraday cage
Don’t do this at home

SLIDE 16

16

Active Radio Attack

Voice
Using the device to listen (2G)
Call-back support (by SMS)
Microphone
Movement/noise detectors
Cameras
Additional wireless interfaces
Wireless client
Scanner
RF - attack surface

SLIDE 17

17

Network – attack surface

Multiple trackers – multiple remote management servers
3 GPS trackers, 3 different back-ends
Infrastructures based on a few OEM solutions
Chinese IPs but:
Located in China,
Located in Germany,
Located in UAE (open ports, banking websites, …),
Reverse Engineering of protocols: Done
Specific traffic: on the ISP side, easy to detect, extract coordinates and modify on-the-fly
APIs
Live demo

SLIDE 18

18

Hardware Attack

GPS chips:
U-blox G7020
SIMCom SIM800
Support of GPS, GLONASS, QZSS, Galilleo
Flash memory (4MB)
MediaTek SOC (ARM - MT6261DA)
No protection against physical attacks
UART port
Firmware dumping
Debug interface available
Analysis (ARM)
Hidden commands found

SLIDE 19

19

Software Attack

ARM dump
Loaded within IDA Pro
Nucleus RTOS
Data Line S8 Locator – hidden commands
Backdoors SMS codes
Different trackers, different OEMS, different commands

different network protocols

Not all of these SMS commands seem to be functional.
SMS parsing, Quick’n’Dirty
HTTP client and custom client
Parsing prone to errors
No firmware update features

SLIDE 20

20

Android/IOS Clients

Dynamic Analysis (android emulator)
Static Analysis (jadx)
Results
Authentication (login/password)
APIs access
(Lack of?) Authentication for APIs
Need an unrelated valid session
Communication over HTTP (no encryption)
http://m.999gps.net/OpenAPIV2.asmx with debug!
http://m.999gps.net/OpenAPIV2.asmx?WSDL (full description!)
Insecure Direct Object References
IDOR Already found by Trackmaggedon team in January 2018!

SLIDE 21

21

Web Interface – attack surface

Web site
Live information (GPS, speed)
Replay
Geofence definition
OEM version (.NET) provided to a lot of providers of GPS

products

SLIDE 22

22

Web Interface – attack surface – Geofence

Authentication based on last 7 integers of the S/N
Default pwd: 123456
Geofence:
Stop/start command with a remote control (!)
Auto-shutdown of the car (!)
Alerts (SMS, push on app)
Vulnerable to IDOR
Anyone can geofence your tracker
Blindly trust the (forged) GPS information

sent to the server

Good idea, very bad implementation

SLIDE 23

23

Web Interface – attack surface

Web interface full of vulnerabilities
IDOR everywhere (tracker ID: 82383)
Full history of GPS tracker data
APIs
Let’s dig
Full of vulnerabilities
Same as Android/IOS
Kudos to Trackmaggedon team (pwn of 100s APIs)
Live demo
GDPR?

SLIDE 24

24

Conclusion

Thanks!
Black box devices – implementations from big OEM vendor
Used everywhere (in industrial machines too)
Cell-IDs – can be used to map the critical mobile telecom infrastructure of a given country
Huge subject (including RE, network analysis, SDR, web) – a real CTF 
Hope you had fun!
Still some work to do!
At xen1thLabs we are committed to uncovering new vulnerabilities that combat tomorrow’s

threats today.

SLIDE 25

25

References

V. Stykas, M. Gruhn, Multiple vulnerabilities in the online services of (GPS) location tracking devices, [online]

https://0x0.li/trackmageddon/ Kang Wang, Shuhua Chen, Aimin Pan, Time and Position Spoofing with Open Source Projects, BlackHat Europe 2015, Amsterdam, NL, [online] https://www.blackhat.com/docs/eu-15/materials/eu-15-Kang-Is-Your-Timespace-Safe-Time-And-Position-Spoofing- Opensourcely-wp.pdf https://github.com/osqzss/gps-sdr-sim 302 GPS TRACKER, [online] https://fccid.io/2AA64-302/User-Manual/User-Manual-3470390 YateBTS GSM basestation - Open Source Software, [online] https://yatebts.com/open_source/#svn https://github.com/skylot/jadx GPS tracking vulnerabilities leave millions of products at risk By Steve Ragan, Senior Staff Writer, CSO | JANUARY 02, 2018 https://www.csoonline.com/article/3245312/gps-tracking-vulnerabilities-leave-millions-of-products-at-risk.html security issue in kids/ elderly tracking watches https://fil.forbrukerradet.no/wp-content/uploads/2017/10/watchout-rapport-october-2017.pdf https://www.pentestpartners.com/security-blog/tracking-and-snooping-on-a-million-kids/