<— Back

Vulnerabilities amplified: The GPS trackers case

14:00 – 14:30(SGT) Friday 4 December, 2020

We live in the era of IoT devices, and all those new shiny gadgets. This talk is a compendium on the recent issue with the security of GPS trackers. Still, on the background on this prominent case, we will illustrate the broader problem, and that’s a problem of supply chains, especially in the world of IoT where hardware, firmware and cloud ecosystems merge. We’ll show how the supply chain could amplify security mishaps of these components to a catastrophic extent. We will present previously unpublished information on GPS case, including new IoCs and android applications.

Detailed flow of presentation:

We will focus on GPS trackers being sold on the internet and the “physical” example of them we’ll show how the whole infrastructure operates, what are the weaknesses and vulnerabilities, what is being found in transmitted data which is the vendor and the variety of GPS trackers this problem affects.

In the second part, we’ll be discussing attack vectors and exploitation of found vulnerabilities.

In the intermezzo section, we explain what supply chain is and what are the issues. Regarding the GPS trackers, we are going to demonstrate how we proved our suspicion based on “virtual” research of another tracker found on eBay, which led to the discovery of very same cloud API as in the first case.

The fourth part will be solely focused on the cloud infrastructure, the scale of the issues and how we learned this problem to be of enormous scale. The highlight of this section will be showing that vulnerability that allowed us to get hands-on the re-seller administration interface from where you can manage and control all the trackers. In final thoughts part, we will uncover the scale of the problem, affected apps, and we’ll introduce the possible culprit of this mayhem.