Over 10k+ GPS trackers could be abused to spy on individuals in the UK

A vulnerability in a GPS tracker used by elderly people and kids could be exploited by an attacker to spy on individuals using it.

Researchers at Fidus Information Security discovered a vulnerability in GPS trackers used by elderly people and kids could be exploited to spy on them. Experts discovered that the safety device can be completely controlled by miscreants through a text message.

The white-label GPS trackers are manufactured in China is rebranded by many companies in the UK, US, Australia, and other countries.

Experts found pointed out that over 10000 people in the UK use the devices that are sold by dozens of companies, including Pebbell 2 and SureSafeGo.

The device is equipped with a SIM card that allows to transfer the user’s location and to provide hands-free communications through a speaker and mic.

Experts discovered that is possible to send a text message to the SIM and force it to reset. An attacker can also remotely access the GPS trackers to discover its location, as well as secretly turn on the microphone.

The vulnerability could give the attackers access to the key features of the products, including emergency contacts, fall detection, motion detection, and a user-assigned PIN.

There were two fundamental flaws with this approach:

• PIN, by default, was DISABLED. Users of the device only knew about the PIN functionality if they read the appropriate section of the manual.
• When enabled, the PIN is required as a prefix to any commands to be accepted by the device, except for the REBOOT or RESET functionality.” explained the experts in a blog post.

Experts pointed out that the main issue is related to the improper implementation of the RESET functionality. An attacker can send the appropriate RESET command to restore the device to factory defaults. This will cause the erase od all stored contacts and emergency contacts. Once the factory settings are restored, the device will be open to hacking because it will allow connections without providing the PIN.

The only knowledge of the GPS tracker number could allow hackers to compromise it. To discover numbers associated with other devices, the expert developed a simple script to send messages to thousands of numbers similar to the one associated with the tracker they tested (numbers were purchased in a batch).

“This means we can attempt to send messages to all the numbers in the same ‘range’ as the one we got our hands on. We decided to start with 2,500 numbers so for example if the number was 07499000500 (it wasn’t!) we decided to check all the numbers from 07499002500 to 07499005000.” continues the analysis.

“Out of the 2,500 messages we sent, we got responses from 175 devices (7 per cent), So this is 175 devices being used at the time of writing as an aid for vulnerable people; all identified at a minimal cost. The potential for harm is massive, and in less than a couple of hours, we could interact with 175 of these devices!”

Fortunately the issue is easy to address in new devices by implementing a unique code to each device that must be used for the RESET procedure. Another security feature to implement is to limit the device to only receive SMSs and calls from a list of approved contacts.

Unfortunately, the problem could not be fixed for the devices already on the market.

“Now these devices are out in the wild I expect there is no way to apply these updates. Any local authorities that are supplying these devices or employers who are using them to keep their workforce safe should be aware of the privacy and security problems and should probably switch to another device with security built from the ground up.” concludes the experts.

“Prior to the release of our research we’ve been contacting, and have been working with, some of the biggest UK suppliers to help them understand the risks posed by our findings. Some UK suppliers are looking into and are actively recalling devices and some have not responded.”

UPDATE 16/05/2019 (Fidus Website):

HoIP Telecom / Pebbell 2 have since been in contact and explained why their devices aren’t as vulnerable as others. HoIP Telecom have implemented security fetures within their Pebbell devices and have blacklisted sensitive commands; such as L1 (listen in) and RESET (remove PINs). Once a PIN has been set on a Pebbell 2 it is not possible to remove this without sending an SMS from pre-programmed set of telephone numbers – something which is not possible to work out. Should a user not set a PIN, some commands such as STATUS will work on the device but no overly sensitive information can be obtained other than trusted mobile numbers.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – GPS trackers, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

“