Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Black Hat

Spoofing Locations Made Easy

In the hours proceeding the annual Hack In The Box conference in Amsterdam, researcher Don Bailey visited Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported.

In the hours proceeding the annual Hack In The Box conference in Amsterdam, researcher Don Bailey visited Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported.

The Zoombak, used by Bailey, is just one of many commercial location-reporting devices on the market today. On its site, the company offers different use cases for its product, such as tracking your school-aged child, tracking your pet, or tracking your elderly parent. Zoombak in particular rose to prominence when Oprah endorsed it on her show. Naturally Bailey, a security researcher with iSEC Partners, wanted to see what was inside and whether he could spoof his location.

Spoofing GPS LocationThe device is essentially a GSM module with a separate MicroController. If you want to find a particular Zoombak, the service sends a SMS over GSM with A5/2 encryption and then the device responds with its location via pure HTTP. The trick, said Bailey, is to intercept the SMS. Fortunately, he knew how.

The concept of security by obscurity is dead, yet device manufacturers persist in thinking that out of all the possible mobile numbers in the world, the chances of anyone finding their particular GSM module number is so remote that it must be secure. In previous talks, however, Bailey, working with Nick DePetrillo on something known as the Carmen Sandiego Project, has demonstrated the ability to discover the physical location of any cellular device simply by looking at its international mobile subscriber identifier (IMSI), its base station signal, and other commonly broadcast information. In my book When Gadgets Betray Us I go into more detail about Bailey’s methods and I also talk about how GSM A5/2 encryption is considered insecure (it has been cracked since 1999).

For his Zoombak device, Bailey said he was able to find the T-Mobile sessions used by the service by checking the cellular networks’ home location register (HLR). He then performed a search for all the numbers that are “on” but disabled incoming calls and only allowed SMS. Guess what? Not that many fit the bill. He could now send HTTP as that number, and thus appear to be in variety of different countries within a matter of minutes.

The broader implications of Bailey’s research are scary. One can, using Bailey’s methods, spoof SMS responses from GSM-based traffic control systems and SCADA systems. Basically, any remote device that uses SMS over GSM modules is vulnerable to this kind of attack. Oddly, this would include GSM-based skimmers placed on ATMs, which would be good thing if law enforcement knew how to intercept these devices.

Aside from using a more secure form of GSM encryption (for example A5/3), if these devices are not smart enough to properly authenticate input, then it is entirely possible for someone else to remotely gain control of them. Bailey’s talk — “A Million Little Tracking Devices: Turning Embedded Devices into Weapons”–offers more details about the methods he used and the possible consequences. Anyone thinking of a launching a device that uses GSM modules should be aware of this research.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Black Hat

Cris Thomas, also known as Space Rogue, was a founding member of the Lopht Heavy Industries hacker collective.

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Privacy

Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Privacy

Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Application Security

Open banking can be described as a perfect storm for cybersecurity. At one end, small startups with financial acumen but little or no security...

Black Hat

Hundreds of companies and organizations showcased their products and services this week at the 2023 edition of the Black Hat conference in Las Vegas.