The tool for the owner to track its pet became a tool for tracking all the pet owners themselves. The hunters became the hunted.
|Published:||Mon, June 25, 2018, 06:57|
Internet of Things
OWASP 2017 A5
A tracking system was leaking information about all the users, pictures, and information and location data from all the trackers.
|Who:||Anonymous, let's call them Acme4|
|Reception and handling:||Good|
|Reward:||A thank you|
|Issue:||Information leak with pictures, personal information and location data|
Acme4 sells a tracking chip intended to be used for dogs. There's a companion mobile app which is used to see the tracker on the map and send commands to it. It was a bit of a coincident that I noticed this system and took a closer look at it.
I never had physical access to a tracker, so the only entry point for me was the app itself.
I have my guide on how to crack Android apps which I take a quick glance at when doing this stuff. This was easy enough though. I downloaded the APK from apkmonk.com and decompiled it with javadecompilers.com. The end result was a an full access to the source code and resources.
Normally I would probably just have used a HTTP proxy to intercept the traffic, but in this case where I didn't have the necessary hardware (the tracker) I wouldn't be able to use all functions, so I needed the source code to discover all possible HTTP calls. Also the source code sometimes include hidden gems like unused endpoints, test servers and more.
I was a bit surprised by the how clean the code was and how it used modern patterns and libraries. The UI isn't that nice and often I find there to be a correlation..
With the app's source code I could try out the server communication. This wasn't exactly your regular REST API. While the data returned from the server was JSON, all of the calls were GET calls for all kinds of actions with the data in query string parameters - even the authentication. Of course this just make it much easier to play around using a desktop browser.
The search for adding friends had the classic "return everything" when searching for
___. There's nothing inherently wrong with that, but it isn't ideal, and also the search returned the ID, username, a display name, first name, last name and e-mail address of the users.
I found all the pictures of the users in an open Amazon S3 bucket. Luckily most of the users are dogs. 😅 But still, some owners might upload pictures of themselves with their pet. Surely the owners don't expect the pictures to be lying around on the Internet.
Using the PHP scripts it was possible to iterate through all of the registered trackers as the ID was based on an incremental integer. The combined tracker information I got from the scripts was ID, phone number (to the tracker SIM card), IMEI, display name and historical location data (latitude, longitude, address, direction).
The good news is that I didn't find any direct way of seeing which tracker belonged to which user. However, about 5% could be connected because of the display name of the tracker. Additionally, because of the incremental IDs, it was possible to pretty accurately estimate which tracker belonged to which user.
Night time Friday I sent an e-mail to the support address. I like to keep it short, but this was probably the longest description I've had to write in such an e-mail.
Before lunch on Monday I got an e-mail thanking me for the report.
Again before lunch, I got an e-mail telling me that everything should be fixed. So this was all pretty quickly taken care of.
While doing this write-up I saw - and reported - that the search for adding friends within the app still also returns e-mail addresses and still returns all users if searching for a special character. I hope that'll be fixed. Imagine Facebook giving away all users and their e-mail addresses that easily.
I looked into the financial and other public information of this company. I also checked out social media and did a little general due diligence. Though the person behind the company might not do all coding and support personally, it appeared to be a one-man show. I don't want to use my blog to afflict individuals. As stated before, I want people to know that none of their data is secure, I want us developers to improve our data security skills, and I want companies to take more responsibility around data security and their customer data.
Maybe we as consumers should think twice when buying devices connected to the Internet. Think about what information you hand over to the vendor and what could be the worst case if everything's leaked. Would someone be able to live track you? Would someone be able to know when you're not at home? Would you be ok with anyone having the usage data for this system? Would you be fooled if anyone used this information in a clever way in a phising e-mail?
I wish that there was some sort of certification to know that an IoT vendor at least fulfils some minimum standards in regards of computer security and have regularly third party audits.