Tech researchers from the U.K. are calling for a product recall of a famous white-labeled GPS tracking device they found out to be risky in terms of protecting its users’ security and privacy.
The said GPS tracker is commonly used as a panic alarm system for elderly patients, to monitor kids, and track vehicles. Tech researchers found out that there are problematic security flaws in the system’s configuration and said that these security flaws are so “severe” that they are calling for a full recall of the said product.
According to the cybersecurity research firm Fidus Information Security based in the United Kingdom, the said product is white-labeled by location tracker companies, rebranded and sold by more than a dozen companies. The companies include Pebbell by HoIP Telecom, OwnFone Footprint, and SureSafeGo.
The GPS tracker uses a SIM card to connect to the 2G/GPRS cell network and while the system does not require an internet connection to function which means that the data cannot be found on exposed device database sites like Shodan, the researchers said that other people could remotely access data and control the device through SMS.
The research company noted that the device could be tricked into sending anyone the real-time location just by sending a text message to the device’s phone number with a keyword. The phone number in the device can also be called for other people to activate its built-in microphone and listen to the sounds, including conversations, within the vicinity. Worse, the activation of the built-in microphone does not alert anyone, and the device user can never know that someone can hear whatever is heard within the area.
The results of the study have also revealed that a specific command can also disable and kill the cell signal altogether, making the device useless.
“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another, and we seem to be leaving security behind; this isn’t going to end well.”
Even though the device can be protected with a PIN, the PIN is not enabled by default, and the user has to set it up proactively. And even if someone has set up a PIN for the device, the researchers have also found out that a command can also be used to reset it without needing a 2-factor authentication PIN virtually.
Mabbit said in an interview with tech media that an attacker only needs to know the device’s mobile number to carry out his plan to render the device useless, track the user’s real-time location, or listen to their conversations.
Furthermore, the team working on the exposure of the vulnerabilities in the said GPS tracking system found out that the phone numbers can be easily extrapolated based on other working numbers and attack can be serial this way.
We made the assumption that these numbers were purchased in a batch,” noted by the researchers.
During a test conducted by a popular technology-based publication, they found out that upon sending a specific phone number a keyword, the device was able to reply with the exact coordinates of the device with an accuracy level of a few meters. The device, within a few seconds, also sent the researchers a list of other information such as IMEI number and the battery level of the device.
“Fixing this broken security would be trivial,” said the team. “All they needed to do was print a unique code on each pendant and require that to be used to change configurations. The location and call functions could be locked down to calls and texts only from those numbers previously programmed in as emergency contacts.”
The severity of the security vulnerability of the device’s system prompted the team to call it a “glorified wiretap.”
Exposing the vulnerabilities of the said system comes a few months after the U.K. have announced a proposed new cybersecurity law that would require device makers to sell a connected device with a unique password and not a default password, unlike the conventional default password system.