Tell Me Where You Are - A Case Study of GPS Tracker Security

Presented at ShellCon 2019, Oct. 11, 2019, 2 p.m. (50 minutes)

Every day we hear about weak security of IoT devices, about vendors that don't take security seriously and how using and not changing default passwords could lead to a leak of important and personal data. GPS trackers made with a default password and predictable serial numbers allow full control of the tracker and leak the user's position. Due to heavy white labeling and use of the same cloud infrastructure the scale of the problem is huge. I'm going to show and discuss where the weaknesses are, what models and APIs are affected and how they can be exploited. Live demo included. The talk is by itself also a comprehensive guide on analyzing IoT device security, spanning from Android app to HW.

Presenters:

• Martin Hron
  Currently security researcher at Avast. I lead research across various disciplines such as dynamic binary translation, hardware-assisted virtualization, IoT, firmware vulnerabilities and malware analysis. I'm devoted to technology and I'm a true software and hardware reverse engineer, game programmer, tinkerer, AI and IoT mantras practitioner with deep knowledge of OS, CPU and HW architectures. Prior to my current job I've worked as artificial intelligence and game programmer, working on the MAFIA II game project and Windows kernel SW engineer with encryption file system drivers. I've got almost 25 years experience in this domain.

Links:

• https://2019.shellcon.io/talks/gps-tracker-security/
• https://www.youtube.com/watch?v=otJ0K4F0YEA

Similar Presentations:

• THOTCON 0xA (2019) / When Refrigerators Attack - Defending (and weaponizing) IoT
• Black Hat Europe 2019 / Sneak into Your Room: Security Holes in the Integration and Management of Messaging Protocols on Commercial IoT Clouds
• DEF CON 25 (2017) / Using GPS Spoofing to control time