A team of researchers working at Fidus Information Security have found a vulnerability in GPS trackers that are commonly used by elderly and kids that could be used to spy on them. They have also found that these safety devices can be controlled by outside attackers using something as simple as a text message. These white-label GPS trackers are assembled in China and repackaged by many companies across Australia, USA, UK, and other countries as well.
Turning A GPS Tracker on Their User
So far, the researchers have pointed out that almost 10.000 persons in the UK use these devices that are offered by companies such as SureSafeGo and Pebbell 2. They are equipped with a SIM card that makes it easy for users to transfer their location and to manage hands-free communications by using a speaker and a microphone that are lined on the device.
Apart from straight cellphone tracking using App tools, with 6 possible methods as of today, this kind of tracking we’re speaking about today goes undetected by exploiting a flaw inside devices.
All these devices can be targeted with a single text message to the SIM and reset them. Attackers can also gain access to the GPS trackers and get a hold of their location, and turn on and off the microphone. This vulnerability also gives attackers full access to other essential features of these products, such as the list of emergency contacts, motion detection sensor, fall detection sensor, and the user-assigned PIN.
The Problems Faced by Users with this Approach
There is not much good news in this regard to keep you safe. The main problem seems to come from the fact that the PIN function is disabled by default on these trackers. Most users are aware of it if they check the instructions about how to use it. When the Pin function is enabled, the user has to use it as a prefix for new commands to be accepted by the GPS device, except to reboot it or reset it. This operations is in detail explained on Fidus’s post.
This is probably one of the most unfortunate examples of bad design and planning. All the problems could be avoided if there was proper implementation of the reset function. Any hackers can send the right reset command and restore the device to defaults setting, and they will erase all the stored contacts on the device. Once the settings are restored, the tracker is open to be hacked because it will be open to connections without the need for a PIN.
This means that hackers only need number associated with the GPS tracker to compromise it. They only need to discover the number associated with the devices to tamper with it. The way they obtain the number is really simple. They use a script to send thousands of messages to numbers that are similar to the one associated with the tracker device. They get this data by purchasing it by the batch
The Solutions to This Problem
The script designed can send as many messages as it needs to all the numbers that are close to the same range as the one they got their hands on. Fidus tried with a sample of 2,500 numbers out of a series, and they got 175 hits in a couple of hours. This figure clocks around a 7% level of success and even such a low figure represent a potential threat to 175 people who could have their devices hacked for no other reason than pettiness.
The quickest solution is to reconfigure the specs of future GPS trackers arriving on the market over the next few months. All new releases will use a unique code for each device that has to be manually set on the device before resetting it. The course of action to increase the security on these devices is to limit the calls and SMSs received to a pre-approved list of contacts. The bad news is that all the devices currently in the market cannot be updated and they will remain vulnerable.
A few suppliers might be willing to upgrade the devices without generating additional expenses to their customers, but most of them are asking their clients to upgrade their devices to new ones to avoid any issues.