#44CON: GPS Trackers Hacked to Make Premium Rate Calls

Sep 13, 2019 02:00 pm Cyber Security 226

#44CON: GPS Trackers Hacked to Make Premium Rate Calls

Speaking at 44CON, Pen Test Partners researchers Tony Gee and Vangelis Stykas demonstrated vulnerabilities in GPS trackers, which enabled them to call premium rate phone numbers, and possibly influence the outcome of television talent shows.



Gee said that there is demand for GPS trackers, which are used in watches for kids, cars and even on pets’ collars, but their research had found consistent API vulnerabilities. Gee said that the problems were in “a lot of common APIs and used across platforms” in IoT products that were available cheaply.



Stykas called one product range “a monstrosity,” saying that the research into Thinkrace technology found that most API calls did not require authentication, and all users start with the default password “123456.” There were at least 370 vulnerable devices, across 80 domains on 40 different servers, which Stykas said allows anyone to be tracked, with a hacker able to change the email and take over the device, and force a firmware update. 



Calling it a “classic horizontal escalation of privilege,” Stykas said that the vendor had not responded to vulnerability disclosures for three years “on multiple attempts.”



In further research, Gee said that a lot of the GPS devices, particularly tracker watches for kids, used a pay-as-you-go SIM card, and allowed for a premium rate phone line to be called. “If we own the number, we make the money,” he said, pointing out that the costs of setting up a number only runs into hundreds of pounds, but regulation by the PSA was strong on doing th ..

Support the originator by clicking the read the rest link below.

44con trackers hacked premium calls
Read The Rest from the original source
infosecurity-magazine.com

Related News

Be in Touch

All Rights Reserved #1 Source for Cyber Security News, Reports and Threat Intelligence
Powered By The Internet!!!!