'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

Internet boxes blab coordinates on login pages

Black Hat If you want to avoid the cops, or watch deliveries and call-outs by trucks and another vehicles in real-time, well, there's potentially not a lot stopping you.

Security researchers have found more than 100,000 internet-facing cellular gateways, some of which broadcast their exact whereabouts to the world. These particular devices are fitted to fleet vehicles, police cars, ambulances, and so on, and blab their coordinates on webpages served by their built-in web servers from their public IP addresses. Thus, they and their vehicles can be found, inspected, and stalked using port scans and search engines, such as Shodan.io.

This security shortcoming was found by accident after an investigation by F5 Labs into Linux malware took an interesting turn, leading the team to stumble across the gossiping gateways. Since then F5 sent out more than 13,500 warning notes to people making and operating this exposed equipment, we're told, with two replies were received – one of which was Sierra Wireless, the manufacturer of most of the discovered gateways.

The location information is leaked from misconfigured cellular gateways that connect equipment in a vehicle to the internet via a cellphone network, or provide Wi-Fi that routes connections to the outside world via a cellular connection.

Gateways from Sierra Wireless, as well as Cradlepoint, Moxa and Digi, were found on the public internet poorly secured by their owners, according to F5. At least in the case of Sierra equipment, they display the unit’s physical location in a device status box on the administrator login page, and possibly still use the username and password defaults of user/12345.

Once logged in to a vulnerable box, a miscreant can meddle with the router's settings, snoop on it, disable it, and so on. Sierra built eight out of ten of the discovered gateways, we're told, and lists California Highway Patrol, Danish National Police, South Wales Police, Seattle Fire Department, and many others, as its customers. Obviously, not every shipped box is subsequently misconfigured by its operators, however, clearly, quite a few are.

Screenshot of a blabbermouth cellular gateway

One of the gateway's leaky login page ... Click to enlarge (Source: F5 Labs)

“What happens when people go after police officers because they know where they live,” Justin Shattuck, principal threat researcher at F5 Networks, who gave a Black Hat USA talk this week about the findings, told The Register. “Using GPS we know where they buy their donuts, how long to get their orders – we know where they are down to the metre.”

Shattuck and his colleagues spotted something was up in late October 2016 while investigating a Bashlight malware infection at a major European airport: the software nasty, which brute-forces its way into systems, was found lurking on a digital sign that showed arrival and departure times.

The team scanned the rest of the airport's network that month, and found various Sierra Wireless cellular gateways, one of which was publicly accessible. They took their search wider, and found 49,962 internet-facing Sierra Wireless gateways, 84 per cent of which were in the US. By July this year, that was up to 105,400 hosts, with a significant amount in Europe.


The GPS coordinates of the public-facing cellular gateways

The team began looking at what sort of gateways were broadcasting their locations to the public internet. Many were fixed in place, however, some went through regular movements around cities, often during eight or ten-hour shifts. IoT security biz Loryka's Scott Harvey, who worked with the F5 team, told The Register of the moment when he realized what kind of gateway he was following. A cop car in San Francisco.

“We could get the coordinates in real time and track the route of cars,” he explained. “We saw a vehicle in San Francisco go across town and park. When we checked on Google Streetview, we saw the spot was at the police station behind a controlled-access gate. That was an ‘oh shit’ moment – that’s exactly what I said.”

It's going to take a lot of effort to address these information leaks, as it will require alerting users to fetch and install improved firmware, when available. It would also be nice if equipment prompted people to change their passwords after the first login, and locked down access to particular VPNs or login keys. The hardware makers contacted by The Register for comment this week had no spokespeople available to talk.

"If it weren’t for white hat researchers, we would be finding out about discoveries like this from news media after a terror attack, which is entirely too late," the team – Shattuck, Harvey and Sara Boddy and Preston Crowe – claimed. "The right thing to do is avoid the risk by remediating now." ®

Similar topics

Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021