Update: An earlier version of this story included reference to the Pebbell 2 device, but the researchers have since confirmed this is not subject to the same vulnerability thanks to additional security features built on to the existing framework. In particular, the reset and listen-in functions have been blacklisted. Only select functions like ‘status' will work if you don't set a PIN, and said PIN can only be reset from a programmed set of numbers.
A WIDELY-USED GPS tracker and alarm for vulnerable people can be tampered with via text message, according to new research from Cambridge-based infosec firm, Fidus. That's Fidus, not Findus - they're the ones that make Crispy Pancakes and other edible war crimes.
Anyway, you may not have heard of the device in question, but there are at least 10,000 of them at large in the UK. You may know the teardrop-shaped pendent by one of many names: Footprint - Anywhere Care, SureSafeGO 24/7 Connect, Ti-Voice - TrackIt24/7, and many more. It's a white-label product out of China, and is widely used in the care sector - the Fidus author says their elderly relative was allocated one by the council.
Before we get into the specifics of how the exploit occurs, we need to go into what the device is and how it works.
First of all, this isn't your standard hack. The device isn't internet connected, so there's little room for hacking in that sense. It relies on SMS messages, because that's how the device itself is designed to communicate. When the vulnerable person presses the panic button, or has a slip picked up by the fall detection, the device broadcasts its GPS coordinates via a text message to friends and relatives. It also has a microphone and speaker built in, so the person can be reached in emergency.
Because this is how it functions, it makes sense that settings can be tinkered with via a text message. The trouble is that said text message can come from anyone with the number, meaning that people can get the GPS coordinates, turn on the microphone or turn off the cellular connection remotely with a simple SMS message. While users can require a PIN alongside the message to prevent such hyjinx, this failsafe is off by default and in an astonishing design decision isn't required for the text which remotely resets and wipes the device. Oops.
Now if you've bought this device yourself for private use, then that's arguably a limited risk. Nobody's going to know the phone number on the bundled SIM except you, and you probably need to look it up yourself.
The worry is for places that have bought their device in bulk, like the council the Fidus author described. The researchers ran a Python script to text 2,500 numbers in the same range as their relative's to see how many would respond. In total, 175 devices eagerly pinged back - around seven per cent.
Can they be fixed? Yes. Will they? You wouldn't bet a relative's safety on it.
"Fixing this broken security would be trivial," the researchers write. "All they needed to do was print a unique code on each pendant and require that to be used to change configurations. The location and call functions could be locked down to calls and texts only from those numbers previously programmed in as emergency contacts."
But there's a but:
"Now these devices are out in the wild I expect there is no way to apply these updates," the report reads. "Any local authorities that are supplying these devices or employers who are using them to keep their workforce safe should be aware of the privacy and security problems and should probably switch to another device with security built from the ground up."
Still: nice change for a non-internet-connected device to be found wanting every once in a while, eh? µ
It's on the naughty Liszt
Three models will debut in September
That's the irony klaxon going off again
This is sucky-sucky for five dollar