HitB2011AMS: A Million Little Tracking DevicesFrank Breedijk
Slides on the HitB Materials page.
Don’s talk focuses about devices that are designed to track your assets or loved one., specifically the Zoombak who’s biggest selling point is that you can use it to definitely know where your kids are. Zoombak really took off after it was endorsed by TV personality Oprah.
A Zoombak devices basically consist of a GSM module and a MicroController. These two do not share any memory, but talk to each other over a serial channel using AT commands.
On of the first flaws in the Zoombak is that the GSM module can only talk using the decommissioned and broken A5/2 algorithm. A5/2 is so weak that it can be cracked in real time using PC hardware, but Don didn’t use this eakness to attack the device.
Because being on the GSM network all the time is too expensive the Zoombak device works differently. If you want to know the location of the device you send it an SMS, the SMS is polled from the SIM by the Micro Controller and acts on this command, e.g. by sending the location of the device to a website over the GPRS network.
The SMS received by the Zoombak does not only contain what should be sent back, but also the IP address where the device needs to post this data.
By reverse engineering the messages sent between the MicroController and the GSM module Don was know the protocol and to spoof the devices.
Using a small shell script and tons of SMSes you can actually test devices to see if they are Zoombak devices. But using a technique Don dubbed ‘War Texting’ he was able to avoid SMS spam detection, e.g. by changing the nonce and thus generating a different messages per hosts.
But spamming all phone numbers is not needed. There are device characteristics that can be used to narrow the target range. E.g. by polling the HLR we can determine if the device is a T-Mobile device.
Next step after being able to identify a target, but can we intercept the data and spoof the device? Yes we can!
So what fun can we have with these devices? It can be used to e.g. know or spoof the location of valuable goods that are often protected by these devices. E.g. to pinpoint a "good" location for a heist or to convince the security system that nothing is wrong.
What can be done?
- Don't send IP addresses in SMS messages
- Encrypt the SMS messages
- Don't allow non-Zoomback devices to receive IP messages from the Zoomback devices
- Use HLR data to detect fraud
Embedded Security is hard:
- Weak security surface
- Big threat surface
- Many "moving parts"
- The days of obfuscation are over
It is very likely that Zoomback is not the only example of this, mechanisms like this are also used in traffic control systems, SCADA systems and many other applications.
Don A. Bailey is a Security Consultant with iSEC Partners, Inc. With over six years in the field, Don has discovered many unknown security vulnerabilities in well used software, analyzed new and proprietary protocols for design and implementation flaws, and helped design and integrate security solutions for up and coming internet software.
While Don’s primary expertise is in developing exploit technology, he is also well versed at reverse engineering, fuzzing, enterprise programming, binary analysis, root kit detection and design, and network penetration testing. In addition, Don has helped develop and enhance risk management programs for several Fortune 500 companies in recent years and has been invited to speak about risk management from a CISO perspective at government organized conferences.
For the past five years, Don has presented research at several international security conferences discussing topics such as stealth root-kit design, zero-day exploit technology, DECT, GSM, and microcontroller security. Most recently, Don spoke at Blackhat Abu Dhabi 2010 and ToorCon San Diego 2010 regarding vulnerabilities in the global telephone network and the GSM protocol.