In-brief: research into GPS tracking devices used by the government of Columbia to help protect journalists and activists reveal a raft of serious security and privacy holes: more evidence of endemic insecurity in the connected device space.
We use the word “endemic” to describe diseases that are common among a certain people or habitants (human or otherwise) of a particular area. Malaria, for example, is “endemic” in many parts of Africa. The word comes from the same Greek word for people, demos, that gives us the word “democracy.”
I think its safe to say that “endemic” is an equally useful term to start applying to the connected device space, where finding serious security flaws is just a matter of turning over a (technologic) stone here or there. The latest example of this: Rapid7’s warning on Monday about serious security and privacy violations in a popular GPS tracker, the Eview, which is used to track the location of wayward children, seniors, pets, spouses and just about anyone else.
Rapid7 researcher Deral Heiland published an alert detailing seven issues with the Eview EV-07S GPS tracker. Together, the flaws would allow a remote attacker to identify deployed tracker devices, remotely reset devices, harvest and modify GPS location data and more.
The most serious of the vulnerabilities concern flaws that allow attackers to remotely reset GPS trackers. With knowledge of the EV-07S’s registered phone number, the EV-07S device can be reset to factory level setting by sending “RESET!” as a command in an SMS message to the device, Heiland found. Only the phone number is required; no password or physical access is required to accomplish this task. After a factory reset, the device can then be reconfigured remotely via SMS messages without need of password.
Heiland also found that a malicious actor could view the confidential data from any other Eview user, so long as they had the public web address of a Eview tracker application and knew a user’s unique, five digit user ID. Given the small range of valid user IDs, Rapid7 noted that it would be easy for attackers to uncover valid IDs.
Further, a malicious actor who had access to the Eview management console could gain access to others users configuration and device GPS data if they know or guess a valid userId, device IMEI or TrackerID, Rapid7 said.
Those kind of attacks might sound far-fetched, but they’re not. Aside from the obvious worries (parental custody battles, jealous lovers/spouses), there are other, real concerns. The Rapid7 research was carried out at the request of Associated Press, which was investigating whether the devices, which are distributed by Colombia’s Office of National Protection as a panic button, or “boton de apoyo.” The device is a response to the thriving for-profit kidnapping industry. They are distributed to “high risk” individuals which, in Columbia, includes everyone from journalists to labor and land activists.
Unfortunately, the vulnerabilities discovered by Rapid7 could unwittingly expose the EV’s wearer to harm. Attackers who obtained phone numbers associated with devices (known only to the Office of National Protection) could effectively take over tracker devices without the user’s OK or knowledge.
Given the history of state-sponsored violence and repression in Columbia, the devices themselves, which also contain microphones, have become suspect within the activist community, with the result that many activists have ceased using them. Activists’ concerns about the devices – including their potential use as spying tools by the government – were in many instances supported by the research by AP and by Rapid7.
Read more over on Rapid7’s blog: R7-2016-28: Multiple Eview EV-07S GPS Tracker V… | Rapid7 Community and Blog