After hours of driving and hiking along a ridge in a state park, I’d found a well-secluded spot to set up camp in the middle of the woods. Three states from home and not even visible from the trail, I was ready for some well-deserved relaxation where no one could find me.
No one, except for the GPS tracker in my pack.
As large as a Zippo lighter, the device had observed my entire road trip, using GSM to periodically upload location information to backend servers for later perusal. And that’s just the basic functionality. If someone knew its phone number and authentication pin (the super-secure default: 123456) they could tweak other device settings, and even call in to eavesdrop on conversations using the device’s microphone.
All it cost me is about $20 for the device, and $25 for a 2G pre-paid SIM.
Enter the world of consumer-grade GPS spying devices. Thanks to the ubiquity of the cellular network and cheap GPS radio chips, there are a wide range of off-the-shelf trackers for pets, vehicles, and nearly anything else that can move. Some attach to a car’s onboard diagnostics (OBD-II) port, some come with collars for dogs or cats, others have magnets to attach to the underside of a vehicle, but nearly all are designed to be small and concealable.
There’s also nearly as much variety in cost, ranging from inexpensive devices that require the purchase of a SIM, to more polished and managed subscription services costing hundreds of dollars.
But I wasn’t interested in a market survey as much as user privacy. Like other surveillance tech, these trackers can easily be abused while their manufacturers hide behind the shield of dual-use: “Our products are only for strictly legal use by upstanding citizens!” they cry. “We just can’t help if people misuse them!”
The questions I’d like to examine in this blog post are:
Rather than presenting a survey of all available devices, let’s start by digging into one in order to get a clearer idea about how these things work – and how they could (conceivably) be used against you.
I found the cheapest tracker that didn’t seem to be snake oil and began my research, quickly discovering that the shoddy-but-functional device I’d bought was one of probably zillions of clones of a more popular precursor. Though at first I wondered if I’d been scammed: the pager-sized bug did what it advertised, if you patiently poked it according to the manual.
Out of curiosity, I bought more trackers that looked identical but appeared to be from different sellers and manufacturers. After comparing package contents, manuals, features, command syntax, case design, PCB construction and manufacturer Type Allocation Code (TAC) in each device’s IMEI, I got the distinct impression that each device I’d ordered came from the same assembly line, with the only real differences being initial settings and the seller’s logo.
Looking up the TAC and accompanying android app led me to the apparent origin of my trackers:
Figure 1: TK102 clones…. Or am I being paranoid?
Figure 2: TK102 clones and other devices.
Figure 3: TK102 clone internals. All were bought from different sellers.
After this basic inspection, I turned to feature testing: does it really do what it claims? I inserted an SD card, an active SIM card, and powered the device on. After a few minutes of connecting to the network and achieving a GPS lock, it was responding to SMS commands. Spitting back the device’s last logged latitude/longitude with a helpful Google Maps link to the location, and accepting various settings changes.
With a friend’s help I switched to audio monitor mode, called the device, and sure enough heard their consensually-surveilled test conversation. I enabled ‘log-to-sdcard’ mode, took the bug on a bicycle ride, loaded the resulting GPX file into Google Earth, and watched as it traced out my afternoon jaunt. I enabled the device’s data upload, ran errands around town, and replayed my travels through the seller’s web portal. It was finicky, but it worked.
Figure 4: A pleasant camping trip displayed on Google Earth.
Interestingly, the device let me specify a custom server to upload data to, rather than the default. Configuring the device to point to a VPS I control, setting up a transparent proxy to forward to the default server and running a packet capture, I could get a peek at what the bug was phoning home with over the GSM data connection.
Sure enough, its regular updates contained the device’s ID, latitude/longitude, possibly a speed, and other unidentified info. In a strange twist of fate, this feature could feasibly strengthen the privacy of people who want to track themselves and yet still maintain control over their own historical location data, tracking their runs or hikes without having to hand this data over to a third party.
This device was creepy enough, considering its small size, magnetic body and vinyl case that seemed to say, “put me under someone’s car” (Echoes of Breaking Bad, anyone?). But amazingly, the potential for privacy invasion extends beyond whoever is controlling it and the seller who is housing the data.
Firstly, the data sent when the device phoned home was not encrypted at all. Anyone who could observe the data as it traveled the Internet to its backend server could pull out the location and speed of the tracker. Even worse, there appears to be no authentication of the traffic, or of the identity of either party. This could allow a third party to modify and insert data in a MITM attack, falsifying location info from the tracker, or spoofing commands to the tracker from the server. But that’s just the beginning.
Figure 5: Red is from the tracking device, blue is from the backend server.
The web portal for this particular service didn’t even support encryption. Again, anyone who could see the traffic could see whatever the user saw, and of course nab their login credentials.
But the credentials themselves were what was worrying me. The login accepts a tracker ID number and pin to log in, with the pin default being 123456 (!). The ID number at least is 12 digits, which should make guessing difficult. However, in the three devices I purchased, the last 11 digits of the ID were identical to the last 11 digits of the IMEI, which actually makes brute-forcing IDs plausible.
For those who don’t know, an IMEI is divided into two main sections: the Type Allocation Code (TAC) and the manufacturer-defined serial. The first eight digits are the TAC, which essentially describes what entity manufactured the device. The remaining numbers are six digits the manufacturer assigns as a serial, followed by a Luhn check digit computed from all the preceding digits of the IMEI. Because anyone who bought a device (or looked at product images on Amazon) would know at least one of the TACs used, this just leaves the 6-digit serial number that the manufacturer controls, along with an easy to calculate Luhn check digit.
Effectively, a brute-force check for default pins for all devices with the same TAC as a known TAC takes a measly 1,000,000 tries. As we learned from Mirai, people don’t do a great job of changing default credentials either.
Overall, the lack of reasonable design choices doesn’t exactly inspire confidence in the system’s ability to protect the user’s valuable GPS location data.
Something that surprised me was how plausible and innocuous I found some of the advertised uses for various trackers. If I was operating a towing agency or taxi service, I could track my vehicles in real time for dispatch. As a consumer, I could track an expensive drone as insurance against it being lost, or keep tabs on a beloved pet if they had a knack for escaping. I could even track my bicycle in case it were ever stolen.
And moving on to the next level of real-world tracking… I could even track people. Certainly, one could understand a caring family’s wishes to keep tabs on an elderly relative with dementia or a young child with a habit of wandering off in crowded shopping malls. Many people even have relationships where they’re honestly fine with certain people always being able to see where they are, whether that’s the boss at work, family members, friends or even partners.
But there’s a fine line between love and obsession, and that’s where the ugly dark side of this technology rears its head. Many manufacturers are likely well aware that their products can be abused in domestic situations, for instance, in the case of a controlling partner who obsessively tracks their spouse’s whereabouts. But for the sake of making their product commercially viable, they instead pitch the product as being perfect to keep track of Fido in case he escapes from the dog park.
To some degree, there’s nothing a manufacturer or retailer of any product can do about someone misusing their products, although if they are so inclined, they can design them from the ground-up to make this more difficult to do. Other manufacturers, however, seem more gung-ho about the fact that they can help people non-consensually spy on their (theoretically cheating) spouse.
Where most sellers shy away from the “stalk your partner!” style of marketing and simply leave the buyer to make that connection themselves, New York-based company SpyTec International currently (as of this writing) promotes and directly advertises its products specifically for this kind of use. Their product descriptions explicitly advertise their suitability for tracking spouses and partners without their consent (see figures 6 and 7 below). Their GPS tracker reviews mostly describe success in stalking spouses, they offer accessories for better hiding their trackers, and even dedicate a page (page archived) to this kind of use.
Figure 6: Screenshot of SpyTec’s ‘About Us’ page – current as of this writing in August 2018.
Figure 7: SpyTec’s covertly-named "Tools for catching a cheater" page (archived).
Considering the prevalence of smartphone-based trackers in domestic abuse situations, this sort of business model is concerning and has feasibly contributed to abuses beyond the mere invasion of privacy.
Unfortunately, there’s no easy-to-use magic gizmo that can tell you whether there’s a GPS tracker or audio bug near you (and yes, we’ve all been lied to by the movies). But, knowing what to look for can help you detect a tracker in a physical search. Additionally, knowing your situation and potential safety threats is crucial to evaluate if you’re at risk of being tracked like this, and if so what methods might be used.
First, you must ask yourself some tough questions to evaluate if you’re at risk of being tracked by someone. Are there particular people or groups that would be interested in where you go? What resources do they have to find this out? How close are you to them, and do they already have access to parts of your life?
Most of us already carry a personal GPS tracker with us everywhere we go in the form of our smartphone, and it leaves a trail of data. On the extreme end, your cellular carrier knows approximately where you are at any given moment based on where your smartphone is, and may sell that information to third parties.
An attacker (or suspicious spouse) can also install spyware on your smartphone, though this typically requires that they have physical access to your unlocked phone. Or, that person could coerce or manipulate you into installing a “friendlier” tracking app. Failing all that, there is also always the option of simply following you and risking being noticed. Or, paying hundreds or thousands of dollars to have a private investigator do the dirty work for them.
So, the main selling feature of using one of these GPS trackers would be if an attacker didn’t want to be noticed, wasn’t able to install apps on your phone, but has some kind of physical proximity to you, even if only temporarily. It’s quick and easy to slip a tracker in a bag or attach it to the underside of a car, the device could function for weeks without needing to recharge, and would cost only a few hundred dollars at most.
The good news is that if you know what you’re looking for, you will have a good chance of success in uncovering one of these devices placed in your physical proximity. The very smallest of these devices is only a bit smaller than a pager, and they’ll be larger if they have larger batteries for longer life, built-in magnets, or a hard case.
Logically, they’re also only going to be placed where they’re useful: within earshot of where “interesting” conversations might happen, or on things that frequently travel with you. This means that physically searching for them can be effective, whether they’re hidden in a coat or bag, left in a glove box or center console, or attached to a vehicle.
Taking the time to familiarize yourself with your car’s underside, engine bay and bumpers can help you spot a freshly placed device when you search. Some kind of vehicle inspection mirror can make this process easier. In general, if it’s attached to your car with magnets instead of bolts and can be removed with some pulling, it’s not supposed to be there. Being proactive and restricting access to your vehicle when possible can also help prevent bugs from being placed.
Figure 8: The TK102 clone in a vinyl bag, and the SpyTec device in a hard case.
Figure 9: No Trackers here, just dirt and rust.
Figure 10: TK102 clone attached. Can you spot it?
Figure 11: SpyTec case securely attached, TK102 clone easily removed.
If you suspect you are being tracked without your consent, this is not normal and feeling betrayed is a common and reasonable reaction. If you do find a tracking device, before you so much as touch it, think about who might’ve placed it there, what their motivations could be, and what would be your most strategic response to this discovery.
Your initial reaction may be to remove and destroy the device or hide it somewhere to leave a false trail, but first heed a word of caution before following this path. It may be far riskier (to your own safety) to remove the device and alert whoever is tracking you to the fact you’ve discovered their bug. Do yourself a favor, take a few deep breaths and leave it be for now while you devote some time figuring out who might have bugged you, and why.
There are in fact devices available that can detect the kinds of bugs that use GSM to communicate, but they’re expensive and may require training to properly use. If you have one and you’re using it for the first time, remember to remove any other GSM devices from the area to avoid simply detecting the cellphone in your pocket. Bear in mind to that any trackers also use accelerometers to sleep when not moving, which could potentially mean that testing would have to happen while the car in question is in motion.
Ultimately, if you’re in a situation where you discover that someone is monitoring you without your knowledge or consent, and you feel like you could be in any kind of danger (whether physical or mental), it’s time to call on friends, family, a lawyer, or other supportive resources to deal with the situation at hand. Dealing with a breach of trust is hard, but doing it alone is far harder.
EDITOR’s NOTE: This blog represents the opinions of the author only, and does not represent an official Cylance endorsement or judgment of any companies, services or products mentioned herein. Cylance is not connected nor compensated in any way by any company, service, or product mentioned in this blog, nor by any competitor to those companies, services or products.