Research

Exploiting 10,000+ devices used by Britain’s most vulnerable

In this post, we’re going to detail some of the issues our team identified with the an extremely common Alarm & GPS device used by vulnerable people around the world (at least 10,000+ in the UK). The device in question is manufactured in China and seems to be purchased in bulk by numerous providers who simply rebrand and resell the product as their own offering. It does not appear the manufacturers, nor the companies reselling the devices, conducted any security testing or penetration testing of the device.

Before we start, here’s an obligatory summary of what we were able to achieve – all by simply knowing a phone number:

Retrieve live GPS data at any given time the device is live.

Call the device and have the call automatically answered; a glorified wiretap (the device manual even calls this voice wiretapping!)

Change or completely remove all emergency contacts.

Disable GPRS and effectively render the device useless.

Disable motion alarm.

Disable fall detection.

Power off the device.

Remove any device PIN which had been set.

WHAT IS THE DEVICE?

An elderly relative recently had their local council upgrade their “only in-home” emergency, call panic button, lanyard into one that also detects falls and works everywhere.

The previous system had a pendant that was worn around the neck. It connected to a base station in the house and that, in turn, was plugged into the phone line. The microphone and speaker were at the base station. The battery in the pendant lasted for months.

If the vulnerable person activated the pendant while they were far away from the base station the emergency answering service wouldn’t be able to communicate with the owner. (They would, and have, still sent out services to check on the vulnerable person). If the vulnerable person was out, for example on a walk or a buggy to town, and they pushed the button it would do nothing due to being out of range of the base station.

The new one with fall detection seems like a great idea. It also uses the mobile phone network so removes the need for the base station and allows the device to work anywhere. The microphone and speaker are on the pendant itself, so communication with the owner during an emergency will be easier.

A WEALTH OF FUNCTIONALITY

The device was designed to be both practical and easy-to-use and, in the event of an accident, act as a device which makes the difference between life and death. As such, there was a lot of functionality built into the small device. A list of these, extracted from the manual, can be seen below:

Set and delete authorised numbers.

Listen-in.

Turn LED’s on/off.

Location request.

Cell locate.

Over-Speed alarm.

Geo-fence alarm.

Movement alarm.

Motion alarm.

Fall detection.

Check settings.

Device power settings.

Reboot.

Reset.

Lock your device (we’ll come back to this).

Change password.

So what’s the issue here?

The manufacturer (a Chinese company) built in PIN functionality to help lock the devices down to the numbers which are programmed into the device. While this approach sounds secure at first glance, we soon discovered this was not the case.

There were two fundamental flaws with this approach:

1) PIN, by default, was DISABLED. Users of the device only knew about the PIN functionality if they read the appropriate section of the manual.

2) When enabled, the PIN is required as a prefix to any commands to be accepted by the device, except for the REBOOT or RESET functionality.

The main issue here is the use of the RESET functionality which alone is a danger to the device. Sending the appropriate RESET command restores the device to factory defaults. This means all stored contacts and emergency contacts are removed, all non-default settings were changed back and the device still provided current GPS location. Once a factory reset had been applied, the device was then open to all to access again, without the requirement of knowing the PIN.

If anything, the RESET functionality provides a malicious user with the ability to gain remote access to the device and conduct further attacks.

SO WHAT?

Initially we were completely unaware of the widespread nature of this device as it was provided originally by a local council. Further digging enabled Fidus consultants to identify MULTIPLE companies purchasing the device from China and rebranding it. We found the following places selling the device, and these are just the UK companies:

Personal Alarm & GPS Tracker with Fall Alert – Unforgettable

Footprint – Anywhere Care

GPS Tracker – Fall Alarm – Amazon/Tracker Expert

SureSafeGO 24/7 Connect ‘Anywhere’ Alarm – SureSafe

Ti-Voice – TrackIt24/7

Many, many more.

We identified this device currently being used in USA, Australia, Finland, Germany, Spain.. you get the idea.

It’s worth noting it’s not just vulnerable adults who are supplied these devices, it’s children too.

BUT WAIT… YOU NEED A PHONE NUMBER

Surprisingly, this was extremely easy to achieve using a little Python script. First of all, we already knew a phone number of a SIM which had been provided by a local council, and we assumed that these numbers were purchased in a batch.

This means we can attempt to send messages to all the numbers in the same ‘range’ as the one we got our hands on. We decided to start with 2,500 numbers so for example if the number was 07499000500 (it wasn’t!) we decided to check all the numbers from 07499002500 to 07499005000.

Initially we assumed we would get a few devices to respond off the bat. We had hoped that most people had set the PIN feature so that they wouldn’t respond to our number.

Unfortunately, we were wrong! Seriously wrong!

Out of the 2,500 messages we sent, we got responses from 175 devices (7%). So this is 175 devices being used at the time of writing as an aid for vulnerable people; all identified at a minimal cost. The potential for harm is massive, and in less than a couple of hours, we could interact with 175 of these devices!

In the image below you can see an example response from the device, we have sanitised any information that could be used to associate the device with a specific person.

While we only identified a small number of devices (we didn’t want to send too many text messages), we can look at reviews and literature to confirm the number of devices in use is much higher.

EXAMPLES OF COMMANDS

‘Loc’ command – returning an accurate, current GPS location:

Version command – Responds with IMEI number:

SMS0 – SMS alarm disable:

Low0 – Disables low battery alarm:

L1 – Enables “Listen In” functionality