Security Flaws in GPS SOS Pendant Allow Tracking and Eavesdropping

  • A very popular GPS emergency device for the elderly is vulnerable to all kinds of nasty stuff.
  • The device can accept commands from anyone in range, rendering it useless, or turning it into a wiretap thingy.
  • There can be no fix for the device, so returning it to the supplier is the best way to deal with this.

According to a report by the Fidus security researchers, a popular GPS device that is generally used by the elderly in the UK can be easily hacked into retrieving its real-time location. The device is made in China and is re-branded by several vendors who market it as an emergency/alerting gimmick. The pendant has a button to call home or to a service, and a microphone and speaker to perform the call. Other aspects of the functionality of the device include fall detection, location request, motion and movement alarm, geo-fence alarm, locking, and more.

SOS GPS Pendant
image source:

The researchers discovered quite a few issues with these devices, starting with the PIN setting which is set to “disabled” by default. This means that the device is sold unlocked, and only if the user decides to protect it with a PIN they will be able to do it after reading the manual. Many older people just won’t do that. The PIN however, is used as a prefix to all commands that are accepted by the device, and when there’s no PIN set, there’s no prefix. Long story short, the unlocked GPS pendants will accept all commands that are sent to them and respond/act accordingly.

By using a Python script, and knowing the phone number of the target, the researchers attempted to send messages to all numbers they got from a local council that distributed these devices to their vulnerable members. Out of the 2500 phone numbers that were tested, 175 responded to the messages, which means they were not PIN-locked. The commands that can be sent to such devices include the fetching of the current GPS location, the disabling of SMS alerts, the fetching of the IMEI number, the powering off of the device, and even the activation of the “Listen In” feature that activates the microphone. This last command doesn’t even warn the wearer of the pendant that someone is eavesdropping them.

The researchers though have figured out that the devices that are PIN-protected are not safe either. In fact, sending a “Reset” command to the GPS device doesn’t require the PIN prefix, which brings it back to the default state, allowing for further exploitation. That said, there are at least 10000 of those pendants in the UK, and no one knows how many in the rest of the world, used by the most vulnerable category of people. Since there’s no way of fixing these flaws, the only way to deal with them is to alert the users and concerned suppliers, organize recalls, and stop using them altogether.

Leave your comments down below, and help us spread the word by sharing this post through our socials, on Facebook and Twitter.


Recent Articles

How to Watch ‘Married at First Sight’ Online – Live Stream Season 11

Getting married at first sight isn't something most of us would even ever consider, but here we are, enjoying a reality TV show that's...

10 Best G-Sync Gaming Monitors in 2020

Here's a summary of the Best G-Sync Gaming Monitors in 2020 Best 4K G-Sync Monitor – Asus ROG Swift PG65UQ 65” Best 1440p G-Sync...

Critical SAP Vulnerability Could Lead to Corporate Network Takeover

SAP releases a critical patch, plugging severe remote server takeover hole that requires no authentication. The discoverer of the vulnerability is ready...

The New “Spox” Phishing Kit Makes Campaign Deployment Easier

A new phishing kit has appeared and is growing in popularity quickly, thanks to its user-friendly approach. The kit is called “Spox,”...

British e-Ticketing Service Breach Resulted in 4.8 Million Records Now for Sale

A new threat actor is selling 4.8 million email addresses and passwords on the dark web. The database includes various email addresses...