How to hack your way out of home detention



Similar documents
GPS Vehicle Tracker USER MANUAL VT-108

IDD-213T User Manual. (Rev. 1.0) China Aerospace Telecommunications Limited

Fleets Vehicle GPS Tracker TR-11E User Manual (Version 1.0)

GPS Vehicle and personal location tracker. User manual

USER MANUAL V5.0 VT300

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

GSM Risks and Countermeasures

Technical Manual. (TLT-2H GPS/GSM Vehicle Tracker) V1.5

GPS / GPRS Vehicle Tracking for use with Online Mapping Services

Fleets Vehicle GPS Tracker TS20 User Manual. (Version 1.0)

Mobile Phone Network Security

VEHICLE GPS TRACKER USER MANUAL VT-108

CatTraQ Live 2 User Manual

PERSONAL GPS TRACKING SOLUTION TL206

User Manual (UDTTV01 V 1.6

GSM/GPRS/GPS TRACKER USER MANUAL

CatTraQ Live 3 GPRS Tracking

Car Alarm Tracker Manual

GPS Vehicle Tracker. User Manual V7.0 VT300

Vehicle GPS Tracker JV200 User Manual

E. The Password is for the security purposes and the SMS commands can be used after the password verification.

GSM teknik. GPS Tracking System TK-06A. User Manual

GPS Vehicle tracker (Anti-theft Tracking & Positioning) USER MANUAL

GSM/GPRS/GPS TRACKER USER MANUAL

Mobile Phone & Website Tracking Platform Operation Guide

Marine-Electronic SA Tel , rue Louis de Savoie Fax CH 1110 Morges

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

GPS Vehicle Tracker User Manual VT810

GSM/GPRS/GPS PORTABLE VEHICLE TRACER GPS104 User manual

Spylamp2 Bicycle GPS Tracker Instruction Manual

SPYTEC 3000 The system for GSM communication monitoring

Defending mobile phones. Karsten Nohl, Luca Melette,

VEHICLE GPS TRACKER SOLUTION

GPS Vehicle tracker (GPS+GSM+SMS/GPRS) User Manual. (Version 5.0N)

GSM/GPRS/GPS PORTABLE VEHICLE TRACKER USER MANUAL UM03

GSM Research. Chair in Communication Systems Department of Applied Sciences University of Freiburg 2010

GPS TRACKER USER MANUAL

GPS Vehicle Tracker (GPS+GSM+GPRS) User Manual For GT02 (Version 1.2)

GPS TRACKER SETUP GUIDE

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

A web-based GPS/Location Tracking Service. It allow you to track your mobile vehicles, assets, people and even animals.

GSM / GPRS / GPS VEHICLE TRACKER XT-009

GPS Vehicle tracker (GPS+GSM+SMS/GPRS) GT06 User Manual

LA-9011 GSM/GPS Tracker User Manual

999GPS Tracking Platform Operation Guide

Falcon Protector Tracking System

3. Security Security center. Open the Settings app. Tap the Security option. Enable the option Unknown sources.

Cloud Services MDM. ios User Guide

GPS Hardware. GSM / GPS In-Vehicle / Personal Tracker

999GPS.net Tracking Platform Operation Guide

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

MT90 Applications 3. MT90 Features 3. MT90 Main Functions 4. MT90 Specifications 4. Inside the Box 6. Your MT90 7. Getting Started 12

How to hack VMware vcenter server in 60 seconds

User Manual. Genius GPS / GSM 810 Real Time GPS Tracker. Android App Download. Iphone App Download ENGLISH. Genius Advanced Technologies

Norton Mobile Privacy Notice

PG88 GPS Tracker Watch Manual

MVT400 USER MANUAL. GPS Vehicle Tracker. User Manual V1.52 MVT400. Page 1 of 27

WLAN Attacks. Wireless LAN Attacks and Protection Tools. (Section 3 contd.) Traffic Analysis. Passive Attacks. War Driving. War Driving contd.

Firmware version: 1.10 Issue: 7 AUTODIALER GD30.2. Instruction Manual

PREFACE SUMMARY. Mobile Network (GPRS) communication established. No power to the unit or the unit cannot start

WHITE PAPER Usher Mobile Identity Platform

CCTR-800 Portable Real Time GPS Tracker

GPS/SMS/GPRS TRACKER TK103A VEHICLE CAR REALTIME TRACKING DEVICE SYSTEM

TR-151A / TR-151E Vehicle/Asset Tracker User Manual. Version 1.0.0

AL900 USER MANUAL. GPS Vehicle Tracker. User Manual V5.5 AL900. Page 1 of 19

VT600X USER MANUAL. GPS Vehicle Tracker. User Manual V5.4 VT600X

How To Use A Gps Tracker Device

CRYPTUS DIPLOMA IN IT SECURITY

MEITRACK T1 User Guide

CCTR-810 Real Time Car GPS Tracker

Mini A8 Instructions. Location Inquiry /Track Inquiry/ Battery status Inquiry Electronic fence/voice Callback/ Emergency Alarm.

Quectel Cellular Engine

CCTR-811 Vehicle GPS Tracker

Teltonika FM41XX. Configurator v. 1.0

Overview. 1. GPS data tracking via GSM SMS / GPRS. 2. GPS data logging in internal memory. 3. Alarm alert via GSM SMS / Dialing / GPRS

GPS Vehicle Tracker (GPS+GSM+GPRS) User Manual (Version 1.2)

Monitoring mobile communication network, how does it work? How to prevent such thing about that?

GPS WATCH Q50 MANUAL

CCTR-805-V2 3G Car GPS Tracker

GPS Tracking Solution GPS GSM Tracker

Using your Encrypted BlackBerry

GPS GPRS Tracking System

Vehicle Monitoring Quick Reference Guide

USER MANUAL V5.0 ST100

Tinfoil attack. A study on the security threats and weaknesses of GSM-based communication in BMW cars. Thijs Houtenbos, Jurgen Kloosterman

GPS Vehicle Tracker. User Guide V2.1 VT400

User Manual. GPS/GSM Vehicle Tracker V 500

UVI Group Corporation User manual for PT502. Super Mini Vehicle Tracker PT502. User Manual

Breaking the Security of Physical Devices

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

RHINO TRACKS STANDARD GPS VEHICLE TRACKER

introduction to femtocells

User s Manual. Revision Copyright 2012 by Laipac Technology Inc.

MCOM VEHICLE TRACKING SYSTEM MANUAL

GPS Vehicle Tracker. User Manual V7.1 VT310

GPS+GSM+GPRS. AVL Automatic Vehicle Tracker PST-AVL01

Kaseya 2. User Guide. for Network Monitor 4.1

SIM800 Series_SSL_Application Note_V1.01

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

Linux Network Security

Transcription:

How to hack your way out of home detention

About me William @Amm0nRa Turner @Assurance

Disclaimer: I own this system (and 0wn it) The following information is for academic purposes only Don t use this for evil If you do, you may go to jail

Home Detention Systems I own this system (and 0wn it) Used to monitor 'low risk' criminals in their homes. e.g.: Woman gets home detention in green card immigration scheme [October 2014, Los Angeles] Private investigator who hacked email gets 3 months jail, 6 months home detention [June 2015, New York]

How home detention systems work Older systems ran over phone lines, used RF for anklet bracelet proximity Newer systems use GPS, cell network as well as short range RF

In America On a normal day some 200,000 people wake up with a black plastic box strapped to their leg James Kilgore, 2012

Getting hold of one Very hard to even get info Social Engineered a 'sample' unit out of a Taiwan manufacturing company for ~$1k - GWG International Inc Different states/police forces use different trackers, d ifficult to know if/where this unit is used in the USA. Other trackers probably have at least some of the same vulns Lacked detailed manuals - found car tracking system running same 'OS (GS-818 - SAN JOSE TECHNOLOGY, INC)

Operation GPS for location, home base unit with short range RF, tamper detection Battery life depends on configuration, can be recharged without removing anklet Base unit also has battery to deal with power outages Communicates over SMS or GPRS (TCP socket) with server Accepts commands to change settings username and password

The System base unit

The System base unit

Internals Teardown

Anklet

Anklet: JTAG Header(?)

Anklet Internals K9F5608U0D vibration motor Cinterion MC551

Anklet Internals M430F5418 434.01MHz Module

Operation Interesting commands/features which can be set/enabled/triggered: username network APN SMS numbers Geo-Fence coords vibration alert clear log reed switch detection password SMS-TCP mode status report interval buzzer log to file settings fiber optic break detection

GSM Security GSM is encrypted using A5/1 (/2/3) Ki embedded in SIM card used to authenticate SIM, network not authenticated well known issue Kc is temporary key used to encrypt traffic IMEI used as unique ID, phone number only known by network, not SIM

SDR SDR software defined radio BladeRF

YateBTS Open source GSM stack based on OpenBTS, allows JS scripts to control network functions Can be used to spoof real network. need to find MCC/MNC of local telcos - illegal Faraday cage ($2 roll of tin foil) to block real telco signal and encourage connecting to rogue network

MitMing If in TCP mode, can simply MitM socket easy If in SMS mode, much harder, but doable

Intercept status messages #username, $GPRMC,110834.902,V,3750.580,S,14459.1854,E,0.00,0.00,141014,,*07,ST-1-M27-0-3885mV-50.0 username used to auth commands sent to anklet, sent in status messages $GPRMC...*07 is a NMEA standard Recommended minimum specific GPS/Transit data, GPS cords/timestamp 07 is hex checksum on GPS data

Understanding message Last part of message: e.g. ST-1-M27-03885mV-50.0 Not fully decoded, but not required Does include: RF beacon code, charging status Possibly includes message type, battery charge, local cell towers

Spoofing SMS Many different 'providers' costs ~30c per sms We will be using smsgang.com Must know the number to spoof... 3 ways to get it...

Pull SIM card Why not just do this normally? Replace with another SIM card?

Brute force pin Default pin is 0000, start brute force with dictionary attack Need to drop status messages and let anklet retransmit on real network Once pin is found: have full control of device. To get number, change config to send status to phone you control

Brute force pin Pin must be 4 chars long Only allows letters and numbers Math.pow(36, 4) == 1,679,616 SMS transmission speed of about 30 SMS messages per minute Around 39 days to try every possible pin

Kraken rainbow tables Karsten Nohl (BlackHat 2010) Allow reversing Kc of GSM traffic captured from air using SDR Once Kc is known, can decrypt SMS/GPRS/voice Can forge messages Send forged message to your own phone to get number

Kraken rainbow tables Not able to stop real messages But if you have a faraday cage and two SDRs... Kc changes often Probably have to wait a long time to snoop command get pin

Alcoholics Anonymous

Live Demo! Assume we have the anklet number from one the attacks I just described Faraday cage, spoof network Decode message, replace latlngs Recalculate checksum, encode Script POST to SMS spoof service Google map to points, green delivered to phone, red captured by spoofed network

RF Base Unit Uses 434.01 MHz Frequency Shift Keying (FSK) Heartbeat beacon every 10 seconds

Attacks? Static doesn t change until rebooted (unknown: unique to each device?) Record base station heartbeat with hackrf/bladerf/other SDR, replay

BLACK HAT DO NOT USE THIS IN THE REAL WORLD YOU WON'T MAKE IT TO JAIL

System detection War drive scanning for base unit RF beacons Slow/expensive unless you can detect RF from a long range. Better to use court docs/newspapers to get names and dox Jam base station, cell, gps cheap, easy very illegal Spoof real network and brute force pin, take control of anklet, impersonate user/ crack Kc, get number, jam real device, spoof fake coords

BLACKHAT/Monetization If people break the rules of their sentence, they normally go to jail. Black mail user? How? Sell spoofing device/service Do 'cyber hit's on people for a fee

Summary Home detention systems have issues Could be improved mutal auth, encryption Can't be improved/hard jamming, user locating

Future? Try to get code exec from malformed SMS? Remove IC, dump ROM and look for bugs/backdoors Write software 'emulator' for the anklet pull SIM and plug into any smartphone Use SDR to spoof GPS see other talk happening right now Questions? I probably ran out of time, so talk to me later