If you think your car is safe and secure sitting in your driveway at night with its fancy alarm system enabled, Don Bailey has some bad news for you: he can unlock it and turn it on. Whenever he wants. From the other side of the country.
Bailey, a senior security consultant at iSEC Partners known for his work on hacking GSM and embedded systems, has found a method that enables him to not only identify certain kinds of GSM modules over the mobile network, but also to tell him exactly where they’re located via GPS coordinates. He also discovered that he could send his own commands to the modules and essentially have them do whatever he likes.
Bailey will demonstrate his attack next week at Black Hat, showing a video of him remotely unlocking and starting a vehicle without the key in the ignition.
“I had been doing some research on this GPS locator called the Zoombak and I figured out that it’s basically just a microcontroller with a baseband,” Bailey said. “So I devised a method for finding these things over the GSM network and started sending them messages. I can send it an SMS message and get it to upload data to a random IP address, tell it to send me its GPS location every so often, whatever I want.”
Bailey used a variety of methods to fingerprint the devices over the GSM network, building on work that he and Nick DePetrillo had done previously. He knew that the Zoombak, for example, was only on the T-Mobile network and that the billing address for the phone number associated with the devices was the company’s, not each individual owner’s. Those numbers all show up as unknown in the caller ID database, which reduced the number of possibilities for the device he’s trying to find by a lot. Eventually, he found that he could identify GSM devices with a success rate of about 86 percent.
Interestingly, the same architecture that’s used in the Zoombak is also
used in a wide range of other devices, including car security systems,
security systems at water treatment facilities and in industrial control
systems, as well. That means that the same weaknesses also affect all of those systems, making them susceptible to simple attacks that are quite easy to implement, Bailey said.
“This is not technologically advanced. The fact is, you can own these kinds of systems in under a couple of hours,” he said. “It’s easy. There’s no confidentiality or integrity built into the systems. We shouldn’t have the equivalent of SQL injection in hardware, and that’s what this is. That’s the danger. It shouldn’t be possible for any fly-by-night 12-year-old to do this.”
Bailey has been working on the project for some time, along with his colleague Matt Solnik, also of iSEC. After discovering the weakness of the architecture used in the GSM modules, the pair started looking around for other systems to hack that had the same poor security design. It didn’t take long for them to have their hands full.
“I knew this was in car alarms, so I went and bought one and within two hours of purchasing the device, we had it owned,” he said. “Not only is the architecture ubiquitous, no one understands that the module is so weak in its inherent design that I can completely own not just that device, but all the devices attached to it. There are lots of places that security and integrity could have been introduced, but they’re not. And it’s mostly because of money.”
Bailey said that as he and Solnik got down into the weeds on their research, they discovered that the auto makers and alarm-manufacturers–which he and Solnik are not naming yet–didn’t even try to make it difficult to reverse engineer the systems.
“They didn’t even go so far as obfuscating the kinds of chips they use as the microcontrollers,” Bailey said. “I literally just opened the box and it said it was XYZ chip and in two minutes I had the data sheet and I knew what ports to tap and what to do.”
As easy as this was for Bailey and Solnik to exploit, it will be equally difficult for manufacturers to fix.
“This is infrastructure and it’s going to be there for a long time. It’s going to take them forever to alter this in a way that I can’t fingerprint,” he said.