In the hours proceeding the annual Hack In The Box conference in Amsterdam, researcher Don Bailey visited Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported.
The Zoombak, used by Bailey, is just one of many commercial location-reporting devices on the market today. On its site, the company offers different use cases for its product, such as tracking your school-aged child, tracking your pet, or tracking your elderly parent. Zoombak in particular rose to prominence when Oprah endorsed it on her show. Naturally Bailey, a security researcher with iSEC Partners, wanted to see what was inside and whether he could spoof his location.
The device is essentially a GSM module with a separate MicroController. If you want to find a particular Zoombak, the service sends a SMS over GSM with A5/2 encryption and then the device responds with its location via pure HTTP. The trick, said Bailey, is to intercept the SMS. Fortunately, he knew how.
The concept of security by obscurity is dead, yet device manufacturers persist in thinking that out of all the possible mobile numbers in the world, the chances of anyone finding their particular GSM module number is so remote that it must be secure. In previous talks, however, Bailey, working with Nick DePetrillo on something known as the Carmen Sandiego Project, has demonstrated the ability to discover the physical location of any cellular device simply by looking at its international mobile subscriber identifier (IMSI), its base station signal, and other commonly broadcast information. In my book When Gadgets Betray Us I go into more detail about Bailey's methods and I also talk about how GSM A5/2 encryption is considered insecure (it has been cracked since 1999).
For his Zoombak device, Bailey said he was able to find the T-Mobile sessions used by the service by checking the cellular networks’ home location register (HLR). He then performed a search for all the numbers that are "on" but disabled incoming calls and only allowed SMS. Guess what? Not that many fit the bill. He could now send HTTP as that number, and thus appear to be in variety of different countries within a matter of minutes.
The broader implications of Bailey's research are scary. One can, using Bailey's methods, spoof SMS responses from GSM-based traffic control systems and SCADA systems. Basically, any remote device that uses SMS over GSM modules is vulnerable to this kind of attack. Oddly, this would include GSM-based skimmers placed on ATMs, which would be good thing if law enforcement knew how to intercept these devices.
Aside from using a more secure form of GSM encryption (for example A5/3), if these devices are not smart enough to properly authenticate input, then it is entirely possible for someone else to remotely gain control of them. Bailey's talk -- "A Million Little Tracking Devices: Turning Embedded Devices into Weapons"--offers more details about the methods he used and the possible consequences. Anyone thinking of a launching a device that uses GSM modules should be aware of this research.