Spoofing Locations

I found an article that talked of a security researcher, Don Bailey, visiting Boston, Afghanistan, Libya, and at the White House. Or so his tracking device reported. The man was using a Zoombak to report in at multiple places by intercepting SMS. The device is essentially a GSM module with a separate micro controller. The service sends a SMS over GSM with A5/2 encryption and then the device responds with its location via pure HTTP.

From the device Bailey was able to find the T-mobile sessions used by the service by checking the cellular networks home location register. He then performed a search for the numbers that were on but only allowed SMS and disabled incoming calls. Now he could send HTTP as that number and make it look like he was in different countries within a matter of minutes.

Using this research allows for spoofing of SMS responses from GSM-based traffic controls systems and SCADA systems. So what it comes down to is that any remote devices that uses SMS over GSM modules is completely vulnerable to this kind of attack. It even said in the article that this would include GSM-based skimmers placed on ATMs, which would be good thing if law enforcement knew how to intercept these devices. Below I’m going to be pasting Baileys talk that he gave which was all about his research on this subject.

“A Million Little Tracking Devices: Turning Embedded Devices into Weapons”