Vulnerabilities amplified: The GPS trackers case
14:00 – 14:30(SGT) Friday 4 December, 2020
We live in the era of IoT devices, and all those new shiny gadgets. This talk is a compendium on the recent issue with the security of GPS trackers. Still, on the background on this prominent case, we will illustrate the broader problem, and that’s a problem of supply chains, especially in the world of IoT where hardware, firmware and cloud ecosystems merge. We’ll show how the supply chain could amplify security mishaps of these components to a catastrophic extent. We will present previously unpublished information on GPS case, including new IoCs and android applications.
Detailed flow of presentation:
We will focus on GPS trackers being sold on the internet and the “physical” example of them we’ll show how the whole infrastructure operates, what are the weaknesses and vulnerabilities, what is being found in transmitted data which is the vendor and the variety of GPS trackers this problem affects.
In the second part, we’ll be discussing attack vectors and exploitation of found vulnerabilities.
In the intermezzo section, we explain what supply chain is and what are the issues. Regarding the GPS trackers, we are going to demonstrate how we proved our suspicion based on “virtual” research of another tracker found on eBay, which led to the discovery of very same cloud API as in the first case.
The fourth part will be solely focused on the cloud infrastructure, the scale of the issues and how we learned this problem to be of enormous scale. The highlight of this section will be showing that vulnerability that allowed us to get hands-on the re-seller administration interface from where you can manage and control all the trackers. In final thoughts part, we will uncover the scale of the problem, affected apps, and we’ll introduce the possible culprit of this mayhem.
Martin Hron is a security researcher at Avast, Security BSides Prague organizer and Abandoware and open source advocate. Martin leads research across various disciplines such as dynamic binary translation, hardware-assisted virtualization and malware analysis. Recently his focus is IoT and underlying hardware and software vulnerabilities, spanning from chip to cloud. He is devoted to technology and is a dedicated software and hardware reverse engineer, game programmer, tinkerer, AI and IoT mantras practitioner.
Sponsors and Supporting Organizations
Networking Lounge Sponsor