Where is my cart, sir? GPS tracking security
Good day. In the country, the New Year's mood is about to begin, which means it’s time for vacations, salads, and light non-tensioning.
I enjoy paying attention to the information security of the things that surround a person in everyday life. Well, let's talk about one of these things. GPS tracker, ladies and gentlemen!
A GPS tracker is a fairly compact device that allows you to accurately determine the current location of the object to which it is attached, such as a car.
Under GPS trackers, we will, among other things, understand devices that work with our own Glonass.
This type of device has the widest distribution in our life and is used by the general population: parents who want to know where their mischievous child is at the moment; the glorious policemen who supervise whether the liberated Vasiliy grandfather did not leave the city limits freed on bail for theft of potatoes; A “creative class” waiting for a taxi nearest to it; severe security officers who control the movement of goods, collector cars and simply trucks and who want to know whether the drivers of these trucks do not drain fuel on the sly, whether they do not overwork in the evenings and whether they exceed the speed limit. In general, wherever there is a need to find out the current position of an object and a number of its properties, we will undoubtedly come across a GPS tracker.
')
There is no magic in the GPS tracker. The device is a board with GPS / Glonass module, as well as a GSM module. The first one is used to get the current coordinates of the object, the last one is to send them to a remote server using GPRS, for example. From the server, this data is obtained by the operator already in a nice Web 2.0 interface with ryushchechki and object track on the map.
As a result, we have the following scheme of the device operation:
Obvious attacks on trackers have been known for a long time - and why not just drown out the signal? It is possible, but not interesting. We are not barbarians. Lots of noise, etc.
You can use the fake base station to intercept the data sent by the device, but this is, again, on the sparrows of the gun.
Without attention, we still have the software of the hardware itself and the server part, so we’ll look at that.
Let's start with the last one.
There are many resources in the network that are ready to sell you both the tracker itself and provide the server to aggregate the data from the tracker. All that is required for the end user is to install the tracker and configure it to send data to a specific server, for example, to a free gps-trace.com/?page=home
Of course, this option is usually used by private individuals. Large organizations, such as logistics companies, deploy something similar on their servers.
Thus, if an attacker wants to get a large amount of data on the movement of various objects, then he needs to compromise one of the public servers for monitoring. As practice shows, it is not difficult at all, because most of these web services contain quite trivial vulnerabilities from the OWASP TOP 10 list.
Here and disclosure of information:
and cross-site scripting:
and SQL injections:
And it all works on servers with a bunch of open ports. Space for the attacker.
Already at this stage, the attacker will receive everything he needs: a track, object parameters (for example, speed, doors open, gas amount), current location, tracker information (SIM number, IMEI, manufacturer).
However, we will not stop at what has been achieved, because our goal is not only to see where someone’s baby is, but also to try to make this child “turn out” suddenly in the resorts of the Somali region, for example. And for this we need to fake the data transmitted from the tracker to the server, i.e. to be in the middle.
To do this, look towards the tracker itself. How is it configured? Developers of modern trackers offer a huge number of ways to configure the tracker.
Namely:
1) RS-232
2) SMS
3) GPRS
In general, you can still call the tracker and, if a microphone was pre-connected to it, hear the nervous sighs of some trucker.
For the remote configuration, the latter two methods are used: SMS and GPRS.
So, let's talk in detail, namely the Teltonika FM-4200 tracker. The trackers of this company are very common, and therefore were chosen for the study.
In order to send an SMS to a tracker, you need to know its phone number. Where do you get it? This problem can be solved in many ways. For example, you can use vulnerable server applications, which were discussed above, or google configs / logs trackers. People like to post them on the forums, discussing the problems of devices.
So, the configuration SMS format for Teltonika is as follows:
I enjoy paying attention to the information security of the things that surround a person in everyday life. Well, let's talk about one of these things. GPS tracker, ladies and gentlemen!
What is a GPS tracker?
A GPS tracker is a fairly compact device that allows you to accurately determine the current location of the object to which it is attached, such as a car.
Under GPS trackers, we will, among other things, understand devices that work with our own Glonass.
Where applicable
This type of device has the widest distribution in our life and is used by the general population: parents who want to know where their mischievous child is at the moment; the glorious policemen who supervise whether the liberated Vasiliy grandfather did not leave the city limits freed on bail for theft of potatoes; A “creative class” waiting for a taxi nearest to it; severe security officers who control the movement of goods, collector cars and simply trucks and who want to know whether the drivers of these trucks do not drain fuel on the sly, whether they do not overwork in the evenings and whether they exceed the speed limit. In general, wherever there is a need to find out the current position of an object and a number of its properties, we will undoubtedly come across a GPS tracker.
')
How does it work
There is no magic in the GPS tracker. The device is a board with GPS / Glonass module, as well as a GSM module. The first one is used to get the current coordinates of the object, the last one is to send them to a remote server using GPRS, for example. From the server, this data is obtained by the operator already in a nice Web 2.0 interface with ryushchechki and object track on the map.
As a result, we have the following scheme of the device operation:
We finish with nudyatiny, go to the attacks
Obvious attacks on trackers have been known for a long time - and why not just drown out the signal? It is possible, but not interesting. We are not barbarians. Lots of noise, etc.
You can use the fake base station to intercept the data sent by the device, but this is, again, on the sparrows of the gun.
Without attention, we still have the software of the hardware itself and the server part, so we’ll look at that.
Let's start with the last one.
There are many resources in the network that are ready to sell you both the tracker itself and provide the server to aggregate the data from the tracker. All that is required for the end user is to install the tracker and configure it to send data to a specific server, for example, to a free gps-trace.com/?page=home
Of course, this option is usually used by private individuals. Large organizations, such as logistics companies, deploy something similar on their servers.
Thus, if an attacker wants to get a large amount of data on the movement of various objects, then he needs to compromise one of the public servers for monitoring. As practice shows, it is not difficult at all, because most of these web services contain quite trivial vulnerabilities from the OWASP TOP 10 list.
Here and disclosure of information:
and cross-site scripting:
and SQL injections:
And it all works on servers with a bunch of open ports. Space for the attacker.
Already at this stage, the attacker will receive everything he needs: a track, object parameters (for example, speed, doors open, gas amount), current location, tracker information (SIM number, IMEI, manufacturer).
However, we will not stop at what has been achieved, because our goal is not only to see where someone’s baby is, but also to try to make this child “turn out” suddenly in the resorts of the Somali region, for example. And for this we need to fake the data transmitted from the tracker to the server, i.e. to be in the middle.
To do this, look towards the tracker itself. How is it configured? Developers of modern trackers offer a huge number of ways to configure the tracker.
Namely:
1) RS-232
2) SMS
3) GPRS
In general, you can still call the tracker and, if a microphone was pre-connected to it, hear the nervous sighs of some trucker.
For the remote configuration, the latter two methods are used: SMS and GPRS.
So, let's talk in detail, namely the Teltonika FM-4200 tracker. The trackers of this company are very common, and therefore were chosen for the study.
In order to send an SMS to a tracker, you need to know its phone number. Where do you get it? This problem can be solved in many ways. For example, you can use vulnerable server applications, which were discussed above, or google configs / logs trackers. People like to post them on the forums, discussing the problems of devices.
So, the configuration SMS format for Teltonika is as follows:
setparam < > <>
. , , . , , . :
. - . , Man-in-the-Middle, , , , , .
Teltonika IP- 3245, - 3246. , , 2 SMS :
<><>setparam 3245 <><>setparam 3246
, , , Teltonika . ? Google it!
, "Teltonika Confidential document":
pdf- "FM4XXX DATA PROTOCOL", .
, .
:
00000000000000b708060000013aff36d4170120cc98023c1c400000200000800000000000000000000013aff36857f00120c1023c1c200000000000900010000000000000000013aff36372200120cc56023c1c180000000000900010000000000000000013aff35e88a00d20cc6e023c1c240000100000900010000000000000000013aff3599f400120cc8e023c1c400000500000900000000000000000000013aff354b5a00120cc8c023c1c500000f0000090000000000000000060000570e
, , , , , , . .
, , , , , .
: pastebin.com/VfWLnGPA
, .
, ~600 / , .
, .
, , - , - .
- . , , . , - ? ! .
, , , , .
- :
BOOT <ip:port>
- .
, , - , / SMS, .
- . . JTag ( , : habrahabr.ru/post/190012)
, , , .
? , , .
, JTag, - - . , , , - . : . arduino- teensy TDI, TDO, TCK TMS. - Nathan Andrew Fain, Jtagenum.
, . , BGA-.
? , , , IT , .
, , - . , -, DDoS-.
, , - , Digital Security, .
PS: JRun , .setparam < > <>
. , , . , , . :
. - . , Man-in-the-Middle, , , , , .
Teltonika IP- 3245, - 3246. , , 2 SMS :
<><>setparam 3245 <><>setparam 3246
, , , Teltonika . ? Google it!
, "Teltonika Confidential document":
pdf- "FM4XXX DATA PROTOCOL", .
, .
:
00000000000000b708060000013aff36d4170120cc98023c1c400000200000800000000000000000000013aff36857f00120c1023c1c200000000000900010000000000000000013aff36372200120cc56023c1c180000000000900010000000000000000013aff35e88a00d20cc6e023c1c240000100000900010000000000000000013aff3599f400120cc8e023c1c400000500000900000000000000000000013aff354b5a00120cc8c023c1c500000f0000090000000000000000060000570e
, , , , , , . .
, , , , , .
: pastebin.com/VfWLnGPA
, .
, ~600 / , .
, .
, , - , - .
- . , , . , - ? ! .
, , , , .
- :
BOOT <ip:port>
- .
, , - , / SMS, .
- . . JTag ( , : habrahabr.ru/post/190012)
, , , .
? , , .
, JTag, - - . , , , - . : . arduino- teensy TDI, TDO, TCK TMS. - Nathan Andrew Fain, Jtagenum.
, . , BGA-.
? , , , IT , .
, , - . , -, DDoS-.
, , - , Digital Security, .
PS: JRun , .Source: https://habr.com/ru/post/205680/
All Articles