Security Experts:

Connect with us

Hi, what are you looking for?


Black Hat

Spoofing Locations Made Easy

In the hours proceeding the annual Hack In The Box conference in Amsterdam, researcher Don Bailey visited Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported.

In the hours proceeding the annual Hack In The Box conference in Amsterdam, researcher Don Bailey visited Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported.

The Zoombak, used by Bailey, is just one of many commercial location-reporting devices on the market today. On its site, the company offers different use cases for its product, such as tracking your school-aged child, tracking your pet, or tracking your elderly parent. Zoombak in particular rose to prominence when Oprah endorsed it on her show. Naturally Bailey, a security researcher with iSEC Partners, wanted to see what was inside and whether he could spoof his location.

Spoofing GPS LocationThe device is essentially a GSM module with a separate MicroController. If you want to find a particular Zoombak, the service sends a SMS over GSM with A5/2 encryption and then the device responds with its location via pure HTTP. The trick, said Bailey, is to intercept the SMS. Fortunately, he knew how.

The concept of security by obscurity is dead, yet device manufacturers persist in thinking that out of all the possible mobile numbers in the world, the chances of anyone finding their particular GSM module number is so remote that it must be secure. In previous talks, however, Bailey, working with Nick DePetrillo on something known as the Carmen Sandiego Project, has demonstrated the ability to discover the physical location of any cellular device simply by looking at its international mobile subscriber identifier (IMSI), its base station signal, and other commonly broadcast information. In my book When Gadgets Betray Us I go into more detail about Bailey’s methods and I also talk about how GSM A5/2 encryption is considered insecure (it has been cracked since 1999).

For his Zoombak device, Bailey said he was able to find the T-Mobile sessions used by the service by checking the cellular networks’ home location register (HLR). He then performed a search for all the numbers that are “on” but disabled incoming calls and only allowed SMS. Guess what? Not that many fit the bill. He could now send HTTP as that number, and thus appear to be in variety of different countries within a matter of minutes.

The broader implications of Bailey’s research are scary. One can, using Bailey’s methods, spoof SMS responses from GSM-based traffic control systems and SCADA systems. Basically, any remote device that uses SMS over GSM modules is vulnerable to this kind of attack. Oddly, this would include GSM-based skimmers placed on ATMs, which would be good thing if law enforcement knew how to intercept these devices.

Aside from using a more secure form of GSM encryption (for example A5/3), if these devices are not smart enough to properly authenticate input, then it is entirely possible for someone else to remotely gain control of them. Bailey’s talk — “A Million Little Tracking Devices: Turning Embedded Devices into Weapons”–offers more details about the methods he used and the possible consequences. Anyone thinking of a launching a device that uses GSM modules should be aware of this research.

Written By

Click to comment

Expert Insights

Related Content

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


The EU's digital policy chief warned TikTok’s boss that the social media app must fall in line with tough new rules for online platforms...


Meta was fined an additional $5.9 million for violating EU data protection regulations with WhatsApp messaging app.

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...