How to hack your way out of home detention!

Similar documents
GSM Open-source intelligence

1.264 Lecture 26. Security protocols. Next class: Anderson chapter 4. Exercise due before class

MONGOOSE VT606 GPS VEHICLE TRACKER

Haicom HI-604 GPS Tracking Device with 5-years Standby Battery

Wireless Security Security problems in Wireless Networks

GPSteltronic Tracking Platform Operation Guide

General GPS Vehicle Tracker. User Manual V1.0

Tracker in Motion from BMS User Manual

GLOBAL SYSTEM FOR MOBILE COMMUNICATION (2) ETI2511 Friday, 31 March 2017

User s Manual. SJ-5291 Mini GPS Tracker GPRS+GPS. Sheng Jay Automation Technologies Co., Ltd.

Understanding IMSI Privacy!

FIFOTRACK PARAMETER TOOL USER GUIDE V1.1

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

GSM Hacking. Wireless Mobile Phone Communication 30 th January 2014 UNRESTRICTED EXTERNAL

-- Command Code Setting --

Tracking Platform Operation

Operation Guide. Mobile Phone & Website Tracking Platform. Android App Download. Iphone App Download ENGLISH. Genius Advanced Technologies

ZENDA Manager User Guide. Applicable Model: ZD-VT1

GC-101 GPS / GSM Micro Tracker

Banner Connected Data Solutions Web Service

Hardware Quick Installation Guide

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

MONGOOSE VT604 GPS-GPRS TRACKER OWNERS MANUAL

GPS Tracking Watch Manual

GETTING A GOOD START WITH TRACKING

GPS PERSONAL TRACKER. User Manual. Error! No bookmark name given.

Worldwide Release. Your world, Secured ND-IM005. Wi-Fi Interception System

GLOSSARY OF CELLUAR TERMS

TKP19F GPS Tracker for Pets

Mobile Security Fall 2013

User Guide. Accessories: GPS Tracking Device. Product Overview

IoT in 2016: a serious overview of IoT today and a technical preview of HoneyVNC. By Yonathan Klijnsma

FIFOTRACK VEHICLE GPS TRACKER. Model: S30 Version: V1.1

GPS Vehicle Tracker (GPS+GSM+SMS/GPRS) User Manual (A5E-3)

USER MANUAL V5.0 GT60

User Guide. Accessories: GPS Tracking Device. Product Overview

User Guide. Accessories: GPS Vehicle Tracking Device. Product Overview

The telephone supports 2 SIM cards. All functions are available for both SIM cards and have independent settings.

GPS Watch Tracker USER MANUAL. (Model: WT100)

GPS+Glonass Vehicle location Tracker

TX-5 LBS ANTI-THEFT ALERT SYSTEM (LBS+GSM+SMS/GPRS) Fast Installation Instruction & User Manual

KidsConnect KC2 4G GPS Tracker Phone User Manual. Model ILW01

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

GETTING A GOOD START WITH TRACKING

TrackingTheWorld.com. CAT-200X Ankle Tracker Tracking Device USER MANUAL

FIFOTRACK MOTORCYCLE/VEHICLE GPS TRACKER

FREQUENTLY ASKED QUESTIONS

BT200 BICYCLE GPS TRACKER

GSM/GPRS/GPS Tracker GL300 User Manual

Cyber security tips and self-assessment for business

Wireless Attacks and Countermeasures

GPS Tracker AT06 manual Ver

GPS Vehicle Tracker. User Manual V6.1 VT300

What is a Wireless LAN? The wireless telegraph is not difficult to understand. The ordinary telegraph is like a very long cat. You pull the tail in Ne

GPS Vehicle and personal location tracker. User manual

GPS Personal Tracker User Manual V1.0 GT601

Ready Track OBD Vehicle Tracker

GSM/GPRS/GPS Tracker (LDW-TKV116) User Manual. Version 1.4

GPS Motorcycle/Vehicle Tracker USER MANUAL. (Model: TK668)

Presentation Content

GPS TRACKER PHONE WATCH USER GUIDE

GPRS Intercept: Wardriving your country. Karsten Nohl, Luca Melette,

TK-STAR GPS TRACKER USER MANUAL

User Manual (Version 2.0T)

TR-206 User Manual. Version 1.0

GPS Tracker ST-902 User Manual

C O N T E N T (CLICK THE TITLE AND JUMP TO THE CONTENT)

Wireless Network Security

INVICTUS 3G/GPRS MODEM TECHNICAL INFORMATION

InTimeGo-623 Pets GPS Tracker User Manual

Internet of Things (IoT) Attacks. The Internet of Things (IoT) is based off a larger concept; the Internet of Things came

Smart Tracking Watch. User Manual

GSM/GPRS/GPS Tracker. G05 User Manual

A Practical, Targeted, and Stealthy attack against WPA-Enterprise WiFi

AVL-900 Hardware Quick Installation Guide

Advanced Diploma on Information Security

GSM/GPRS/GPS Tracker GL300 User Manual

Semi-Active GSM Monitoring System SCL-5020SE

WorldTracker Enduro Users Manual

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

STREETWIZE TRACKER INSTRUCTION MANUAL

User Guide. Accessories: GPS Tracking Device. Product Overview

1. Introduction. 2. Product Overview Appearance Buttons/Mini USB Interface Description. UBI5000E User Manual

TrackingTheWorld Global Asset Tracker (GAT)

ST-908 User Manual GPS Vehicle Tracker

Wireless KRACK attack client side workaround and detection

Linux in the connected car platform

S911 Personal Locator V4 Utility & Quick Start Manual

Copy9 FOR SYMBIAN 9.X

INSTITUTO DE MATEMÁTICA E ESTATÍSTICA UNIVERSIDADE DE SÃO PAULO. GSM Security. MAC Computação Móvel

Endpoint Security - what-if analysis 1

JRC06Z 3G GPS/WCDMA Tracker

Drone /12/2018. Threat Model. Description. Threats. Threat Source Risk Status Date Created

GH4000 Sample User Guide 1.0

Exam Advanced Network Security

Attacks on WLAN Alessandro Redondi

GPS Tracker Instruction

T8124GSE & T8124G USER GUIDE

GPS tracking system USER GUIDE. Personal/Asset/Pet GPS TRACKING SYSTEM - 1 -

TZ-AVL05 User Guide V3.27

Transcription:

How to hack your way out of home detention!

About me! William @Amm0nRa Turner! @Assurance!

About presentation! Acquire a home detention tracking system! Get a BladeRF SDR! Use open source GSM software stack! Spoof GSM tower! Intercept and spoof tracker location messages! Replay local RF beacon!

! Disclaimer:! I own this system (and 0wn it)! The following information is for academic purposes only! Don t use this for evil! If you do, you may go to jail!

Home Detention Systems I own this system (and 0wn it)! Used to monitor 'low risk' criminals in their homes. e.g.:! Woman gets home detention in green card immigration scheme [October 2014, Los Angeles]! Private investigator who hacked email gets 3 months jail, 6 months home detention [June 2015, New York]!

How home detention systems work! Older systems ran over phone lines, used RF for ankle bracelet proximity! Newer systems use GPS, cell network as well as short range RF!

In America! On a normal day some 200,000 people wake up with a black plastic box strapped to their leg James Kilgore, 2012!

Getting hold of one! Very hard to even get info! Social Engineered a 'sample' unit out of a Taiwan manufacturing company for ~$1k - GWG International Inc! Different states/police forces use different trackers, difficult to know if/where this unit is used in the USA.! Other trackers probably have at least some of the same vulns! Lacked detailed manuals - found car tracking system running same 'OS!

Operation! GPS for location, home base unit with short range RF, tamper detection! Battery life depends on configuration, can be recharged without removing anklet! Base unit also has battery to deal with power outages! Communicates over SMS or GPRS (TCP socket) with server! Accepts commands to change settings username and password!

The System base unit!

The System base unit!

Internals Teardown!

Anklet!

Anklet!

Anklet Internals!

Anklet Internals!

Operation! Interesting commands/features which can be set/enabled/triggered:! username! network APN! SMS numbers! Geo-Fence coords! vibration alert! clear log! password! SMS-TCP mode! status report interval! buzzer! log to file settings! fiber optic break detection! reed switch detection!

GSM Security! GSM is encrypted using A5/1 (/2/3)! Ki embedded in SIM card used to authenticate SIM, network not authenticated well known issue! Kc is temporary key used to encrypt traffic! IMEI used as unique ID, phone number only known by network, not SIM!

SDR! SDR software defined radio! BladeRF!

YateBTS! Open source GSM stack based on OpenBTS, allows JS scripts to control network functions! Can be used to spoof real network. need to find MCC/MNC of local telcos - illegal! Faraday cage ($2 roll of tin foil) to block real telco signal and encourage connecting to rogue network!!

MitMing! If in TCP mode, can simply MitM socket very easy! If in SMS mode, much harder, but doable!

Intercept status messages! #username,$gprmc,110834.902,v,3750.580,s, 14459.1854,E,0.00,0.00,141014,,*07,ST-1- M27-0-3885mV-50.0! username used to auth commands sent to anklet, sent in status messages! $GPRMC...*07 is a NMEA standard Recommended minimum specific GPS/Transit data, GPS cords/ timestamp! 07 is hex checksum on GPS data!

Understanding message! Last part of message: e.g. ST-1-M27-0-3885mV-50.0! Not fully decoded, but not required! Does include: RF beacon code, charging status! Possibly includes message type, battery charge, local cell towers!

Spoofing SMS! Many different 'providers'! costs ~30c per sms! We will be using smsgang.com NOT pranktexts.com! Must know the number to spoof...! 3 ways to get it...!

Pull SIM card! Why not just do this normally?! Replace with another SIM card?!

Brute force pin! Default pin is 0000, start brute force with dictionary attack! Need to drop status messages and let anklet retransmit on real network! Once pin is found: have full control of device. To get number, change config to send status to phone you control!

Brute force pin! Pin must be 4 chars long! Only allows letters and numbers! Math.pow(36, 4) == 1,679,616! SMS transmission speed of about 30 SMS messages per minute! Around 39 days to try every possible pin!

Kraken rainbow tables! Karsten Nohl (BlackHat 2010)! Allow reversing Kc of GSM traffic captured from air using SDR! Once Kc is known, can decrypt SMS/GPRS/voice! Can forge messages! Send forged message to your own phone to get number!

Kraken rainbow tables! Not able to stop real messages! But if you have a faraday cage and two SDRs...! Kc changes often! Probably have to wait a long time to snoop command get pin!

Alcoholics Anonymous!

Live Demo! Assume we have the anklet number from one the attacks I just described! Faraday cage, spoof network! Decode message, replace latlngs! Recalculate checksum, encode! Script POST to SMS spoof service! Google map to points, green delivered to phone, red captured by spoofed network!

RF Base Unit! Uses 434.01 MHz! Frequency Shift Keying (FSK)! Heartbeat beacon every 10 seconds!

Attacks?! Static doesn t change (unknown: unique to each device?)! Record base station heartbeat with hackrf/ BladeRF/other SDR, replay!

BLACK HAT! DO NOT USE THIS IN THE REAL WORLD! YOU WON'T MAKE IT TO JAIL!

System detection! War drive scanning for base unit RF beacons! Slow/expensive unless you can detect RF from a long range. Better to use court docs/newspapers to get names and dox! Jam base station, cell, gps cheap, easy very illegal! Spoof real network and brute force pin, take control of anklet, impersonate user/ crack Kc, get number, jam real device, spoof fake coords!

BLACKHAT/Monetization! If people break the rules of their sentence, they normally go to jail.! Black mail user? How?! Sell spoofing device/service! Do 'cyber hit's on people for a fee!

Summary! Home detention systems have issues! Could be improved mutal auth, encryption! Can't be improved/hard jamming, user locating!

Future?! Try to get code exec from malformed SMS?! Remove IC, dump ROM and look for bugs/backdoors! Write software 'emulator' for the anklet pull SIM and plug into any smartphone! Use SDR to spoof GPS see other talk happening right now! Questions?! I probably ran out of time, so talk to me later!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback