Researcher: electronic house arrest could be misled GSM spoofing




A certain type of electronic ankle bracelet for house arrest of convicted criminals and suspects can be cracked. As a result, falsifying locations possible, claims a security researcher. It is not known whether the band is also used in the Netherlands.

Researcher William Turner claims that the ligament in question can be cracked using a forged mast. He told Tweakers the DEF CON hacker conference in Las Vegas. The company’s anklet GWG International uses GPRS or SMS to send the location of a convict or suspect to the police, but mobile networks are easy to imitate and the company has built itself no additional authentication. It is not clear in which regions will use the anklet; about GWG will give information according to Turner.

The investigator bought an anklet and base in the Taiwanese company by posing as a potential customer. A fee of $ 1000, converted 910 euros – Turner says it is unclear whether that was the price for the unit, or in fact any kind of bribe – he was telling the unit. “This do not think in the real world,” he advised visitors DEF CON during his presentation. “You will end up in jail.” At the same time he says that someone else the attack could easily mimic.

The attack must be undertaken its own falsified base for a mobile network; for that free software can be used as OpenBTS or YateBTS. Then it must falsified ‘BTS’ occur when the mobile network of the ankle. Then the ankle connects to the network forged the attacker. Turner wrapped the ankle in several layers of aluminum foil to weaken the range of the antenna in the ankle, so that the base had forged the strongest signal.

If the ankle GPRS used to send the location to the police, the attack is the simplest. The traffic may then be forwarded to a server which is managed by the attacker. “Next, edit the location in the messages, and send traffic back to the police,” said Turner. GPRS traffic is sometimes encrypted, but even if that happens, the encryption is easy to crack. The base throws in the attack, moreover, no spanner in the works: that acts merely as a kind of beacon, the communication is done from the ligament itself.

Uses the ankle SMS to communicate with the police, the attack is more difficult, because first the telephone number of the ankle must be located. To this end, the SIM card can be removed from the ankle and plugged into a phone. Then, the attacker must send a message to a number known in order to determine the phone number of the ankle. The counterfeit network is used to prevent the ankle successfully initiate an alarm that the device is opened. Counterfeit locations can then be sent to a service that offers to send fake text messages; of which there are several. “I made a Python script that sends authentic-looking locations,” said Turner.

Another way in which the ankle does not have to be opened, by configuring the remote device different. This can be done using text messages; from the forged network configuration messages can be sent to the ankle. It should be sent a four-digit PIN; to guess that an attacker could up to forty days are engaged in brutal Forcen that password, Turner said. PIN is compromised, then the ankle can be configured so that it sends the location messages to a phone number of the attacker. Then he knows the phone number of the ankle, and he can send fake messages to the police.

Then, the location can be changed so that it looks as if the convicted person is home while he is in fact in a different location, “for example, in the pub, ‘says Turner. The ankle may even be dismissed. In that case, would beat the anklet really alarm, but because all communication is intercepted, those messages never come.

Turner argues that an attacker must be on a lot of technical skills to exploit the vulnerabilities. “But I can imagine that someone with such skills surcharge and service design to crack anklets.”

According to the researcher, the vulnerability can be solved by the manufacturer, by incorporating cryptographic checks. However, Turner has not approached the manufacturer; it is customary to revelations about security problems. GWG Saturday morning local time was not available for comment.


In: A Technology & Gadgets Asked By: [21393 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »

Star Points Scale

Earn points for Asking and Answering Questions!

Grey Sta Levelr [1 - 25 Grey Star Level]
Green Star Level [26 - 50 Green Star Level]
Blue Star Level [51 - 500 Blue Star Level]
Orange Star Level [501 - 5000 Orange Star Level]
Red Star Level [5001 - 25000 Red Star Level]
Black Star Level [25001+ Black Star Level]