- A very popular GPS emergency device for the elderly is vulnerable to all kinds of nasty stuff.
- The device can accept commands from anyone in range, rendering it useless, or turning it into a wiretap thingy.
- There can be no fix for the device, so returning it to the supplier is the best way to deal with this.
According to a report by the Fidus security researchers, a popular GPS device that is generally used by the elderly in the UK can be easily hacked into retrieving its real-time location. The device is made in China and is re-branded by several vendors who market it as an emergency/alerting gimmick. The pendant has a button to call home or to a service, and a microphone and speaker to perform the call. Other aspects of the functionality of the device include fall detection, location request, motion and movement alarm, geo-fence alarm, locking, and more.
The researchers discovered quite a few issues with these devices, starting with the PIN setting which is set to “disabled” by default. This means that the device is sold unlocked, and only if the user decides to protect it with a PIN they will be able to do it after reading the manual. Many older people just won’t do that. The PIN however, is used as a prefix to all commands that are accepted by the device, and when there’s no PIN set, there’s no prefix. Long story short, the unlocked GPS pendants will accept all commands that are sent to them and respond/act accordingly.
By using a Python script, and knowing the phone number of the target, the researchers attempted to send messages to all numbers they got from a local council that distributed these devices to their vulnerable members. Out of the 2500 phone numbers that were tested, 175 responded to the messages, which means they were not PIN-locked. The commands that can be sent to such devices include the fetching of the current GPS location, the disabling of SMS alerts, the fetching of the IMEI number, the powering off of the device, and even the activation of the “Listen In” feature that activates the microphone. This last command doesn’t even warn the wearer of the pendant that someone is eavesdropping them.
The researchers though have figured out that the devices that are PIN-protected are not safe either. In fact, sending a “Reset” command to the GPS device doesn’t require the PIN prefix, which brings it back to the default state, allowing for further exploitation. That said, there are at least 10000 of those pendants in the UK, and no one knows how many in the rest of the world, used by the most vulnerable category of people. Since there’s no way of fixing these flaws, the only way to deal with them is to alert the users and concerned suppliers, organize recalls, and stop using them altogether.