Spoofing Device Location Made Easy
In his talk last week, "A Million Little Tracking Devices: Turning Embedded Devices into Weapons," Don Bailey, a security researcher with iSEC Partners, demonstrated how he'd been in Boston, Afghanistan, Libya, and at the White House –all within the 24 hours proceeding the annual Hack In The Box conference in Amsterdam. Or so his tracking device said.
The device, Zoombak, is essentially a GSM module with a separate MicroController, said Bailey. If you want to find a particular Zoombak, the service sends a SMS over GSM with A5/2 encryption and then the device responds with its location via pure HTTP. Bailey said he was able to spoof the responses, and thus appear to have been in four or five countries within the previous 24 hours.
As for security by obscurity, Bailey said he was able to find the T-Mobile sessions used by the Zoombak devices by checking the cellular networks' home location register (HLR) and searching for devices that are never home yet the device were still "on," where incoming calls are disabled, and only SMS is allowed.
Don’s talk focuses about devices that are designed to track your assets or loved one, specifically the Zoombak who’s biggest selling point is that you can use it to definitely know where your kids are. Zoombak really took off after it was endorsed by TV personality Oprah.
The broader implications for the talk include spoofing responses from traffic control systems, SCADA systems, Kindles, and iPads. Basically any remote devices using SMS over GSM modules to communicate. Aside from using a more secure form of GSM encryption, if these devices are not properly authenticating input, then it's entirely possible for someone else to remotely gain control of them.