Connect with us

Technology

Tech Researchers Calls For A Recall Of A Popular GPS Tracking System

Published

on

Tech researchers are calling for a recall of a problematic GPS tracking system.

Tech researchers from the U.K. are calling for a product recall of a famous white-labeled GPS tracking device they found out to be risky in terms of protecting its users’ security and privacy.

The said GPS tracker is commonly used as a panic alarm system for elderly patients, to monitor kids, and track vehicles. Tech researchers found out that there are problematic security flaws in the system’s configuration and said that these security flaws are so “severe” that they are calling for a full recall of the said product.

According to the cybersecurity research firm Fidus Information Security based in the United Kingdom, the said product is white-labeled by location tracker companies, rebranded and sold by more than a dozen companies. The companies include Pebbell by HoIP Telecom, OwnFone Footprint, and SureSafeGo.

The GPS tracker uses a SIM card to connect to the 2G/GPRS cell network and while the system does not require an internet connection to function which means that the data cannot be found on exposed device database sites like Shodan, the researchers said that other people could remotely access data and control the device through SMS.

The research company noted that the device could be tricked into sending anyone the real-time location just by sending a text message to the device’s phone number with a keyword. The phone number in the device can also be called for other people to activate its built-in microphone and listen to the sounds, including conversations, within the vicinity. Worse, the activation of the built-in microphone does not alert anyone, and the device user can never know that someone can hear whatever is heard within the area.

Anyone can trick the system into sending real-time location information just by sending a text message to the device’s phone number with a keyword. Image from @zackwittaker / Twitter

The results of the study have also revealed that a specific command can also disable and kill the cell signal altogether, making the device useless.

“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” said Fidus’ Andrew Mabbitt, who wrote up the team’s findings. “This day and age, everything is connected one way or another, and we seem to be leaving security behind; this isn’t going to end well.”

Even though the device can be protected with a PIN, the PIN is not enabled by default, and the user has to set it up proactively. And even if someone has set up a PIN for the device, the researchers have also found out that a command can also be used to reset it without needing a 2-factor authentication PIN virtually.

Mabbit said in an interview with tech media that an attacker only needs to know the device’s mobile number to carry out his plan to render the device useless, track the user’s real-time location, or listen to their conversations.

Furthermore, the team working on the exposure of the vulnerabilities in the said GPS tracking system found out that the phone numbers can be easily extrapolated based on other working numbers and attack can be serial this way.

We made the assumption that these numbers were purchased in a batch,” noted by the researchers.

During a test conducted by a popular technology-based publication, they found out that upon sending a specific phone number a keyword, the device was able to reply with the exact coordinates of the device with an accuracy level of a few meters. The device, within a few seconds, also sent the researchers a list of other information such as IMEI number and the battery level of the device.

“Fixing this broken security would be trivial,” said the team. “All they needed to do was print a unique code on each pendant and require that to be used to change configurations. The location and call functions could be locked down to calls and texts only from those numbers previously programmed in as emergency contacts.”

The severity of the security vulnerability of the device’s system prompted the team to call it a “glorified wiretap.”

Exposing the vulnerabilities of the said system comes a few months after the U.K. have announced a proposed new cybersecurity law that would require device makers to sell a connected device with a unique password and not a default password, unlike the conventional default password system.

A consumer tech and cybersecurity journalist who does content marketing while daydreaming about having unlimited coffee for life and getting a pet llama. I also own a cybersecurity blog called Zero Day.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Technology

‘Critical’ VLC Zero-Day Warning Raised

Published

on

Photo: VLC Website

Cybersecurity researchers have warned users of the popular multimedia player, VLC, of a “critical” vulnerability that could expose them to potential risks once exploited by threat actors.

The German cybersecurity firm, CERT-Bund, detailed in a cybersecurity warning that their researchers have flagged a vulnerability in VLC’s system, which can be used by hackers and other malicious entities to compromise a device where the media player is installed.

The researchers from CERT-Bund said that users could be hijacked into running malicious codes in their VLC-installed computers because a flaw enables remote code execution (RCE), unauthorized modification and disclosure of data/files, and overall disruption of service. This means that the user will unknowingly run the malicious codes in their device that could expose them to multilayered risks.

The vulnerability known as CVE-2019-13615 is found in the software’s latest version VLC Media Player version 3.0.7.1. The flaw has been rated 9.8 in NIST’s National Vulnerability Database, which indicates that the flaw is in ‘critical’ level.

While there is still no known exploitation happening in the wild, the researchers are warning users to avoid updating their software or downloading the new version of the media player.

“A remote, anonymous attacker can exploit a vulnerability in VLC to execute arbitrary code, create a denial of service state, disclose information, or manipulate files,” reads the CERT-Bund disclosure.

Interestingly, while the vulnerability is detected in many environments such as Windows, Linux, and UNIX versions, the macOS version of VLC seems to be unaffected by the vulnerability.

The VLC 3.0.7 Vetinari is the seventh version of the software in its Vetinari line which was released earlier last month. VLC Media Player is one of the most popular media players in the market, priding itself with more than 3 billion downloads. The popularity of the media player came from it is free, open-source, and portable.

The VLC Media Player, owned by VideoLAN, a non-profit organization, can run in different environments like Windows, macOS, and Linux, with versions created for Android and iOS. It is also one of the available media players that can read a variety of audio and video files, which makes it one of the most popular third-party media player in the market.

With the combined number of active users of VLC Media player and the total download it gets, an exploit in the discovered vulnerability can cause a massive cyber attack outbreak.

Last month, VLC patched two major vulnerabilities in their system with a similar implication. The vulnerabilities a remote user to create some specially crafted avi or mkv files that, when loaded by the target user, will trigger a heap buffer overflow into a targeted system.

The researchers said that successful execution of the malformed file in the target users’ device could cause, in the best case, VLC to crash, and in the worst, could provide hackers special privileges to exploit the user’s device. They warned that a hacker could simply trick a target or a potential victim into opening a seemingly unsuspicious video in the VLC for the hacker to carry out his plan.

The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins) until the patch is applied,” they said in a security advisory. This vulnerability was patched when VideoLAN released version 3.0.7, but apparently, a similar flaw would also affect the new version.

Last month, VideoLAN released the biggest single security update for VLC Media Player in the history of the program. The update included fixes for 33 vulnerabilities in total, of which two were marked critical, 21 medium and ten rated low. These fixes include:

  • Improvements for HDR support on Windows, including for HLG streams
  • Improvements on the Blu-ray support, notably for menus
  • Fixes for some 10bit and 12bit rendering on Windows 10
  • Fixes for UPnP discovery on MacBooks with a TouchBar
  • Numerous security issues: One high-security issue, 21 medium, and 20 low-security issues were fixed, ranging from integer overflow to buffer overflows, with out-of-read violations and stack overflows.

VideoLAN advised users that they have been working on a patch for the new flaw in version 3.0.7 for the past four weeks and they are currently 60 percent through it.

Continue Reading

Technology

Chinese Fugitive Caught By Police Using Facial Recognition

It’s part of China’s project called “Sharp Eyes.”

Published

on

Photo by Bill Oxford on Unsplash

With a bunch of reports detailing the ills of facial recognition systems that have dominated the conversation around the unregulated technology, a breath of fresh air comes after a fugitive has been caught by a facial recognition system in China earlier this week.

Chinese police officers arrested an unnamed fugitive at a Cantopop star’s concert in Zhanjiang city at the southwestern end of Guangdong province. The arrest was highly attributed to the facial recognition system used by Chinese law enforcement in concerts and crowded gatherings to spot fugitives and wanted criminals. The said system has already been in used since late 2017.

The Zhanjiang public security bureau has released the video of the arrest in the law enforcement’s official TikTok account.

The suspect was reportedly a die-hard fan of the pop group, and as he was standing in line to get in the concert, his image was caught by the camera in the concert’s ticketing booth and was eventually matched to a fugitive in the database. The police apprehended him in the middle of the show.

Chinese police are using facial recognition to arrest suspects in concerts

This is not the first time that a suspect has been apprehended while attending a concert in China. Between December 28 and 30 in 2018, more than 22 wanted men were identified at a concert by Hong Kong Cantopop star Jacky Cheung Hok-Yau in Suzhou, a city west of Shanghai.

In May 2018, a man was also arrested when a facial recognition system identified his photo while he was attending a crowded concert in China. The suspect was identified with the surname Yu and was under investigation since 2015 for allegations of stealing more than $17,000 worth of potatoes.

“A few minutes after he passed through the security checkpoint, our system issued a warning that he was a wanted person,” said Shen Yueguang, an official from the Nanhu District Public Security Bureau referring the May 2018 arrest.

In the same month, another man wanted for “economic crimes” was arrested in Jiangxi province in southeast China after facial recognition cameras detected his presence at a Cheung concert attended by 60,000 people.

The arrests are emblematic of China’s growing eagerness to establish a nationwide surveillance system with plans from the government to integrate an array of camera systems that monitor roads, shopping malls, transportation hubs, and buildings.

The project, known as “Sharp Eyes,” aims to target criminals, arrest fugitives, predict crime and monitor the habits of the country’s 1.4 billion people.

The United States is doing it too

China isn’t the only one with this plan. The United States has long been working in establishing a surveillance network like this. The FBI’s Next Generation Identification system uses face recognition to match crime scene images to a national database of mug shots.

However, the academic sector still insists on the risks that come with using facial recognition in fighting crimes. They raise the concern of how inaccurate these systems are and the unregulated nature of how it is being used.

A study conducted by Clare Garvie from Georgetown Law Center revealed that police departments are feeding celebrity images, artists sketches, and unconventional photos to facial recognition system to generate a match. These images are called “probe photos” and are matched against the police mugshot and drivers’ license database.

“The stakes are too high in criminal investigations to rely on unreliable—or wrong—inputs. It is one thing for a company to build a face recognition system designed to help individuals find their celebrity doppelgänger or painting lookalike for entertainment purposes. It’s quite another to use these techniques to identify criminal suspects, who may be deprived of their liberty and ultimately prosecuted based on the match. Unfortunately, police departments’ reliance on questionable probe photos appears all too common,” Garvie wrote in her study.

“NYPD officers arrested after texting a witness a single face recognition “possible match” photograph with accompanying text: “Is this the guy…?” The witness’ affirmative response to viewing the single photo and accompanying text, with no live lineup or photo array ever conducted, was the only confirmation of the possible match before officers making an arrest,” she added.

Along with the apprehensions on how the police and the government use facial recognition technology, they are also still insisting on focusing on regulating these systems. Garvie said that even if the FBI can potentially improve the accuracy of the algorithms in the systems they use, none of it will matter as long as regulation still lags in making sure that they won’t be abused.

Continue Reading

Technology

North Carolina Passes Bill To Stop Robocalls And Scammers

The law also applies to text solicitors.

Published

on

Photo by Rock'n Roll Monkey on Unsplash

Robocalls have become the target of recent legislation and regulations — both in the federal and state level after the House — and the Senate has both released their versions of a robocall deterrent law that would impose sanctions on illegal call practitioners. This time, tired of the slow progress of federal regulating bodies, the state of North Carolina has drafted their law targeting robocallers and scammers with fines and penalties.

On Monday, North Carolina passed a bill that would require callers to use their real name and number or the information of the business they’re representing. Primarily, the law aims to stop the practice of “call spoofing,” where companies are hiding their identities from their consumers to trick them into answering their robocalls.

In a unanimous 45-0 vote, the new law has been passed in Senate after passage by the House last month. Now, the new law is waiting for the decision of Gov. Roy Cooper on whether the law will be implemented or not — for the state to begin enforcing penalties the law has drawn against violators.

Under the new bill, call spoofers and robocallers who do not disclose their real numbers and the businesses they represent will be fined with a maximum of $5,000. While call-spoofing is already illegal on the federal level, this new bill will give North Carlina’s authorities to go after solicitors and robocallers.

Additionally, the new law will not only target callers but will also penalize those who use text messaging as their platform of soliciting or harassment.

According to State House Speaker Tim Moore, who sponsored the bill back in May, robocallers are priority concerns for his constituents, especially those who are elderly.

“When I went out campaigning this last year … I heard more about people getting scammed phone calls than any single thing else,” he said.

Rep. Chris Humphrey, a Lenoir County Republican also said that the new New Carolina bill would give the state and the authorities new tools to enforce a heavier crackdown against robocallers. “The penalties are civil at this point and will begin to make spammers reconsider when making these annoying calls,” he wrote in an email.

Humphrey said that the new law would not eliminate all spam calls that are plaguing North Carolina residents. Many of these calls originate from outside the country and is hard to trace, let alone to prosecute. However, he is optimistic that the new bill could lighten the load of calls his constituents get from scammers.

In the status quo, consumers can choose to be included in a state’s Do Not Call registry to prevent telemarketers and robocallers from calling them. However, amidst the law that prohibits companies from calling numbers in the DNC registry, North Carolina has received 168,022 “Do Not Call Registry” complaints in 2018 based on the numbers provided by the Federal Trade Commission.

For the past year, both the FTC and the Federal Communication Commission has been in a strengthened crackdown against call spoofers and robocallers. However, amidst their efforts, the nation’s robocalling problem still persists. Numbers reveal that consumers are receiving at least five million robocalls every month, and the problem has even affected basic services like the healthcare industry.

As a response, both the House and the Senate have drafted laws to penalize robocallers and to empower regulating bodies such as the FTC and the FCC in enforcing regulations against violators.

In a bipartisan bill called the Stopping Bad Robocalls Act, the Senate aims to stop bad calling practices and impose penalties on violators. It will also empower the FCC and the FTC to impose more onerous regulations to halt the robocall problem.

Similarly, the House also voted the passage of the TRACED (Telephone Robocall Abuse Criminal Enforcement and Deterrence) Act which would put more onus on major telecom and cell service provider to address the problem and do a better job of authenticating calls.

As part of their efforts to stop robocalls, the Federal Communication Commission has also voted to allow service providers to block robocalls by default. A move which many of the service providers have already followed through by releasing free robocalling features in their services.

Continue Reading

Trending