Tracking the Trackers: Exploiting GPS Devices and Manipulating Real-World Systems

hello and welcome to cut down question with my dog breaking the tractors or how your vision for besides Athens 2020 my name is I guess lead us I hope as a senior penetration best earthbenders partners on my day-to-day job and my free time I'm focusing on maybe eyes that any IOT I could find today's talk is about dieted truckers and how they have flooded card market as you can see here the projected size of the GPS tracker tracker market is over two and a half billion from 2023 there are three best fighters whirring from beds to cars to pretty much everything the scariest of all is the car ones because some of them have OPP to access which means that

the car if it is owned the common problem that we see is most workers are using some common 8 the eyes from white label resellers as I can see here there's a third party but him that multiple mobile apps are using it they're paying rate and using it and commonality in vehicle practice we have seen repeatedly the one of the self the case was striker which was using the same API back-end as Viper which was the white label like label market Columba everything that is going to be shown to you today presently today's already released on early 2018 it was done work I did with meets on Twitter you goddess from a heaven you can see the

full things now on this link it affected that close to 2 million GPS tracking devices unfortunately the possible years meant that the issues were not fixed and the tracking device is more than doubled so we are looking at 50 million close to 50 million zps tracking devices right now the device types worth three hundred and seventy that time it's close to five hundred right now and most of them are from the Chinese or the M which is named thing please the theories was smart efficient smart food supplier four thousand and nine in special in weeks in Abu Dhabi and it was never secure it's not using HTTP on any of their API is it's the least of their problems they

also have a pretty strange definition of open source as you can see here they are from source of partners which means we have to pay them to give you their source code and other it is not how often social works here we have a tracker and when you go to the web page to update single mining or manual you see that page we are using thing raised buttons and it seems that you are very well as I said the grace is a white label appear cellar till under the rate any known API call required authentication as it was a social service it was just as easy as brought into the twisted files to get the

documentation which was freely available all variables were incrementing in the gears which main group 14th well full database pretty easy whenever I saw something that said vendor-specific next week resulted either on SQL injection or RCA I didn't explore those because we have to follow computers you suck but yeah most of the people are involved my face so you could look at me like this and you can easily identify from the endpoint named whenever you see in open API - and the number the days I'm exits means but this is a thing way server all you start with it for bottles of one two three four five six my understanding Muslim being incentive and some of them were resellers you

could see thousands of devices over at the attack of agency is a song we attack straight from the 90s it's pure either you could do pretty much everything like just changing your number the Google Doc for you to find any or all of the server is URL of an API v2 the video had 126 results the v3 had even more but you can try whatever number if you like from one to five and see any open circles as you would see in some of the follow to nourish we will reply 35 we're devices can do eyes so in order to identify there are multi place right where the device is located you didn't obviously get the last

magnification lens allocated to country you can get the number of the family number or the device and get the convert Road from that so that you know where devices to query the device you can just forget the past detail the result will return include retail everything from the server location phone numbers names obviously this isn't pure to the we are evaluation and it's real but the bad thing that I see in here is not their temptation inside X moment is scary the are servants that have admin endpoints there still have not education at all you can retrieve the existing framework or even upload a new framework for all the devices so you breathe but nor all the devices of the platform make

it what everyone as I said we are currently looking at five hundred and nonverbal devices and I couldn't fit all the mains that are wearable I think there were more than 100 right now I just stopped looking at some point because they didn't anything what can we do we can try anyone we can send an email we can things all conduct good emails we can change the defenses or we just for checking were update change the frame we're with her own and take over to the device for the other benefit I hope that is named the PSU ID Annette and also the MU I know the vendor respond never responded after four years three years we'll go dance

I have sent emails I have phone called Ivan cool that their data center but any no response at all the classical horizontal escalation privileges that would allow anyone to view and control any device by sending whose recommends at least I had to create one ahead by one device to get access so with authentication into the mid-upper ization this one's even scarier because as we see afterwards something where she had to do some mumbo jumbo to actually trigger it in there in the Sui you just do second month and it responds you can see in here it's the serial number PSN is also a dramatic Englander and you can send any command any famous comment to

anyone needing devices so what we can do we can abuse the sim make money off it we could set up a premium line which would cost us about sixty pounds to set up and fifty pounds per year we can divide a commander device phone we can keep falling that will the credit expires and we would get a this rapport but this is a viable solution but you need to be operated by priests aid which is 155 pounds per year and you also have to wait six weeks for first payment and a lot of legal issues that will arise at some point so the other scenario every platform that is vulnerable to an IED or we could retrieve the existing owner

phone number of the tracker you could change that on a tracker then trigger it to call backup send an SMS to that line since that one had that number to bring him line the product of it the trigger conditions as I said previously for GPS UI it was quite easy you just you could just send a push notification and it will write with call or send the SMS but for the thing race you should be able to either create via the offense on the device that were moving or wait for the microphone set a really low level of alert on microphone and then when someone talked in the next wave it could send the SMS pretty so can we call

premium line as you can see in here yes you can the other scenario is fissioning fees and existing premium line provider asked for bad things run up the calls you know the next month you get profit in live a scenario of a premium provider to complete the legal issues but yeah that's probably not the best way of making profit though with text the mate if you are a medical person to discover your own and feel better for for you you could always use British Red Cross or any other Charlie that you like so it's like harder to do because it means control of him a message we usually don't have to control the message of the

SMS message it would be possible if we rewrote framework and push it through in grace but we didn't at the time or the ability to waive easy part and the product your cane is bigger vision so in order to do that you either : number or send an SMS with any text usually the calls are 35 piece and the others stop those devices here are ten dollars so you could send 13 vote from each of the devices so thank you a five million devices 25 times it is seven million votes the issue is that you didn't have already thought of it so you could take all to evoke points but usually those who have pretty good song to get some free theory

there are some numbers but my friend Tony bit on how we could win Eurovision but something that you could actually win our TV shows so x-factor you could send this is the UK X Factor you could send a lot of votes in there some more numbers but you can see and with some group very low not we can see that we could hear that win the UK X Factor the past five years just by tweaking devices that are in videotapes and sms's how include profited by hut which is very viable we could just bet on winners it's raining low level it's less likely to be spotted and the meanings are tax-free we could also reduce any contender how many

lines the circles under had we give the trick the devices into constantly calling Lincoln Center and doing videos with anyone exploited the only thing that we found was kids TV telling in Russia 41 thousand volts were from one kid they were easily detect because it came from a negative numbers from one area but that is not the case with our basic scenario because it will not be consecutive numbers or one area so the disclosure went really really bad we talked greasemonkey times not brilliant with the AC crackers we're fixed because we have also reported over there the GPS you i are also not fixed right now and this is not as related to thing race they are may

majority of the practice that are being sold between the market Kevin's clothes the you solution to fix this is stop using Rogers we are all safe but if you really need to use them to pop by box or plants that time don't stop reading them someone we know suffered see predatory services this have a really high risk keep a low predator minimize the risk of your attacking but yeah just stop using practice this was against because you can follow me in Twitter humble and you should also follow and his partners and go to that blog we regularly post the security