Exploiting 10,000+ devices used by Britain’s most vulnerable
In this post, we’re going to detail some of the issues our team identified with the an extremely common Alarm & GPS device used by vulnerable people around the world (at least 10,000+ in the UK). The device in question is manufactured in China and seems to be purchased in bulk by numerous providers who simply rebrand and resell the product as their own offering. It does not appear the manufacturers, nor the companies reselling the devices, conducted any security testing or penetration testing of the device.
Before we start, here’s an obligatory summary of what we were able to achieve – all by simply knowing a phone number:
- Retrieve live GPS data at any given time the device is live.
- Call the device and have the call automatically answered; a glorified wiretap (the device manual even calls this voice wiretapping!)
- Change or completely remove all emergency contacts.
- Disable GPRS and effectively render the device useless.
- Disable motion alarm.
- Disable fall detection.
- Power off the device.
- Remove any device PIN which had been set.
WHAT IS THE DEVICE?
An elderly relative recently had their local council upgrade their “only in-home” emergency, call panic button, lanyard into one that also detects falls and works everywhere.
The previous system had a pendant that was worn around the neck. It connected to a base station in the house and that, in turn, was plugged into the phone line. The microphone and speaker were at the base station. The battery in the pendant lasted for months.
If the vulnerable person activated the pendant while they were far away from the base station the emergency answering service wouldn’t be able to communicate with the owner. (They would, and have, still sent out services to check on the vulnerable person). If the vulnerable person was out, for example on a walk or a buggy to town, and they pushed the button it would do nothing due to being out of range of the base station.
The new one with fall detection seems like a great idea. It also uses the mobile phone network so removes the need for the base station and allows the device to work anywhere. The microphone and speaker are on the pendant itself, so communication with the owner during an emergency will be easier.
A WEALTH OF FUNCTIONALITY
The device was designed to be both practical and easy-to-use and, in the event of an accident, act as a device which makes the difference between life and death. As such, there was a lot of functionality built into the small device. A list of these, extracted from the manual, can be seen below:
- Set and delete authorised numbers.
- Listen-in.
- Turn LED’s on/off.
- Location request.
- Cell locate.
- Over-Speed alarm.
- Geo-fence alarm.
- Movement alarm.
- Motion alarm.
- Fall detection.
- Check settings.
- Device power settings.
- Reboot.
- Reset.
- Lock your device (we’ll come back to this).
- Change password.
So what’s the issue here?
The manufacturer (a Chinese company) built in PIN functionality to help lock the devices down to the numbers which are programmed into the device. While this approach sounds secure at first glance, we soon discovered this was not the case.
There were two fundamental flaws with this approach:
1) PIN, by default, was DISABLED. Users of the device only knew about the PIN functionality if they read the appropriate section of the manual.
2) When enabled, the PIN is required as a prefix to any commands to be accepted by the device, except for the REBOOT or RESET functionality.
The main issue here is the use of the RESET functionality which alone is a danger to the device. Sending the appropriate RESET command restores the device to factory defaults. This means all stored contacts and emergency contacts are removed, all non-default settings were changed back and the device still provided current GPS location. Once a factory reset had been applied, the device was then open to all to access again, without the requirement of knowing the PIN.
If anything, the RESET functionality provides a malicious user with the ability to gain remote access to the device and conduct further attacks.
SO WHAT?
Initially we were completely unaware of the widespread nature of this device as it was provided originally by a local council. Further digging enabled Fidus consultants to identify MULTIPLE companies purchasing the device from China and rebranding it. We found the following places selling the device, and these are just the UK companies:
- Personal Alarm & GPS Tracker with Fall Alert – Unforgettable
- Footprint – Anywhere Care
- GPS Tracker – Fall Alarm – Amazon/Tracker Expert
- SureSafeGO 24/7 Connect ‘Anywhere’ Alarm – SureSafe
- Ti-Voice – TrackIt24/7
- Many, many more.
We identified this device currently being used in USA, Australia, Finland, Germany, Spain.. you get the idea.
It’s worth noting it’s not just vulnerable adults who are supplied these devices, it’s children too.
BUT WAIT… YOU NEED A PHONE NUMBER
Surprisingly, this was extremely easy to achieve using a little Python script. First of all, we already knew a phone number of a SIM which had been provided by a local council, and we assumed that these numbers were purchased in a batch.
This means we can attempt to send messages to all the numbers in the same ‘range’ as the one we got our hands on. We decided to start with 2,500 numbers so for example if the number was 07499000500 (it wasn’t!) we decided to check all the numbers from 07499002500 to 07499005000.
Initially we assumed we would get a few devices to respond off the bat. We had hoped that most people had set the PIN feature so that they wouldn’t respond to our number.
Unfortunately, we were wrong! Seriously wrong!
Out of the 2,500 messages we sent, we got responses from 175 devices (7%). So this is 175 devices being used at the time of writing as an aid for vulnerable people; all identified at a minimal cost. The potential for harm is massive, and in less than a couple of hours, we could interact with 175 of these devices!
In the image below you can see an example response from the device, we have sanitised any information that could be used to associate the device with a specific person.
While we only identified a small number of devices (we didn’t want to send too many text messages), we can look at reviews and literature to confirm the number of devices in use is much higher.
EXAMPLES OF COMMANDS
‘Loc’ command – returning an accurate, current GPS location:
Version command – Responds with IMEI number:
SMS0 – SMS alarm disable:
Low0 – Disables low battery alarm:
L1 – Enables “Listen In” functionality
LISTEN IN?
That last command was interesting, upon reviewing the manual with this setting turned on it was possible to call the number of the device and be instantly connected so that you could listen into the audio. There were no signs from the device when this was activated or when you called in, turning this device issued to vulnerable people into a remote listening bug! If the password is set, we can simply send two commands (RESET, L1) to the device and instantly call it and listen into what is happening on the other end.
This issue teamed with the location tracking abilities of the device allows you to conceive some pretty scary potential use cases. We will leave that up to the reader’s imagination!
CAN IT BE FIXED?
Yes & No. It is easy to fix new devices, but not so much a device already in the wild.
Fixing this broken security would be trivial. All they needed to do was print a unique code on each pendant and require that to be used to change configurations. The location and call functions could be locked down to calls and texts only from those numbers previously programmed in as emergency contacts.
Even using the documented PIN setup (123456lock) won’t help as the factory reset command is still accepted without authentication or prior authorisation.
Now these devices are out in the wild I expect there is no way to apply these updates. Any local authorities that are supplying these devices or employers who are using them to keep their workforce safe should be aware of the privacy and security problems and should probably switch to another device with security built from the ground up.
Prior to the release of our research we’ve been contacting, and have been working with, some of the biggest UK suppliers to help them understand the risks posed by our findings. Some UK suppliers are looking into and are actively recalling devices and some have not responded.
UPDATE 16/05/2019:
HoIP Telecom / Pebbell 2 have since been in contact and explained why their devices aren’t as vulnerable as others. HoIP Telecom have implemented security fetures within their Pebbell devices and have blacklisted sensitive commands; such as L1 (listen in) and RESET (remove PINs). Once a PIN has been set on a Pebbell 2 it is not possible to remove this without sending an SMS from pre-programmed set of telephone numbers – something which is not possible to work out. Should a user not set a PIN, some commands such as STATUS will work on the device but no overly sensitive information can be obtained other than trusted mobile numbers.
UPDATE 24/05/2019:
AnywhereCare have been in contact to dispute our claims and advise our article is factually incorrect and their devices are not vulnerable. However, prior to this claim we purchased a device from their website and it appears to still be vulnerable.
