'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

Internet boxes blab coordinates on login pages

By Iain Thomson in San Francisco


Black Hat If you want to avoid the cops, or watch deliveries and call-outs by trucks and another vehicles in real-time, well, there's potentially not a lot stopping you.

Security researchers have found more than 100,000 internet-facing cellular gateways, some of which broadcast their exact whereabouts to the world. These particular devices are fitted to fleet vehicles, police cars, ambulances, and so on, blab their coordinates on webpages served by their built-in web servers from their public IP addresses. Thus, they and their vehicles can be found, inspected, and stalked using port scans and search engines, such as

This security blunder was found by accident after an investigation by F5 Labs into Linux malware took an interesting turn, leading the team to stumble across the gossiping gateways. Since then more than 13,500 warning notes have been sent out to people making and operating exposed equipment, we're told, with two replies were received – one of which was Sierra Wireless, the manufacturer of most of the discovered gateways.

The location information is leaked from misconfigured cellular gateways that are used to connect equipment in a vehicle to the internet via a cellphone network, or provide Wi-Fi that routes connections out to the outside world via a cellular connection.

Gateways from Sierra Wireless, as well as Cradlepoint, Moxa and Digi, were found on the public internet poorly secured by their owners, according to F5. At least in the case of Sierra equipment, they display the unit’s physical location in a device status box on the administrator login page, and possibly still use the username and password defaults of user/12345.

Once logged in to a vulnerable box, a miscreant can meddle with the router's settings, snoop on it, disable it, and so on. Sierra built eight out of ten of the discovered gateways, we're told, and lists California Highway Patrol, Danish National Police, South Wales Police, Seattle Fire Department, and many others, as its customers. Obviously, not every shipped box is subsequently misconfigured by its operators, however, clearly, quite a few are.

One of the gateway's leaky login page ... Click to enlarge (Source: F5 Labs)

“What happens when people go after police officers because they know where they live,” Justin Shattuck, principal threat researcher at F5 Networks, who gave a Black Hat USA talk this week about the findings, told The Register. “Using GPS we know where they buy their donuts, how long to get their orders – we know where they are down to the metre.”

Shattuck and his colleagues spotted something was up in late October 2016 while investigating a Bashlight malware infection at a major European airport: the software nasty, which brute-forces its way into systems, was found lurking on a digital sign that showed arrival and departure times.

The team scanned the rest of the airport's network that month, and found various Sierra Wireless cellular gateways, one of which was publicly accessible. They took their search wider, and found 49,962 internet-facing Sierra Wireless gateways, 84 per cent of which were in the US. By July this year, that was up to 105,400 hosts, with a significant amount in Europe.

The GPS coordinates of the public-facing cellular gateways

The team began looking at what sort of gateways were broadcasting their locations to the public internet. Many were fixed in place, however, some went through regular movements around cities, often during eight or ten-hour shifts. IoT security biz Loryka's Scott Harvey, who worked with the F5 team, told The Register of the moment when he realized what kind of gateway he was following. A cop car in San Francisco.

“We could get the coordinates in real time and track the route of cars,” he explained. “We saw a vehicle in San Francisco go across town and park. When we checked on Google Streetview, we saw the spot was at the police station behind a controlled-access gate. That was an ‘oh shit’ moment – that’s exactly what I said.”

It's going to take a lot of effort to address these information leaks, as it will require alerting users to fetch and install improved firmware, when available. It would also be nice if equipment prompted people to change their passwords after the first login, and locked down access to particular VPNs or login keys. The hardware makers contacted by The Register for comment this week had no spokespeople available to talk.

"If it weren’t for white hat researchers, we would be finding out about discoveries like this from news media after a terror attack, which is entirely too late," the team – Shattuck, Harvey and Sara Boddy and Preston Crowe – claimed. "The right thing to do is avoid the risk by remediating now." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Biz forked out $115k to tout 'Time AI' crypto at Black Hat. Now it sues organizers because hackers heckled it

Lawsuit argues event bosses breached deal by failing to prevent audience hostility

How to avoid getting burned at Black Hat, destroyed at DEF CON or blindsided by Bsides

Black Hat The noob's guide to Hacker Summer Camp in Las Vegas

It's Black Hat and DEF CON in Vegas this week. And yup, you know what that means. Hotel room searches for guns

Black Hat Because it's America, it's 2019, and after more mass shootings, let alone Mandalay Bay, no one's taking chances

Black-hat sextortionists required: Competitive salary and dental plan

Cybercrims aren't just raking it in – they're dishing it out too

Black Hat USA axes anti-abortion congressman as keynote speaker after outcry – and more news from infosec land

Roundup Your quick guide to hacks, patches and scandal

Hey boffin, take a walk on the wild side: Stuffy academics need to let out their inner black hat

If hackers and nerds played together nicely, security would benefit, reckons compsci boffin

'Black hat' extortionist thrown back in the clink after Yelp-slamming biz

Protip: When freshly paroled, don't immediately trash your victim online

Essex black hat behind Cryptex and reFUD gets two years behind bars

Goncalo Esteves sobbed as he was sentenced

Black hats are great for language diversity, says Eugene Kaspersky

FIC2019 Also reckons Russian hackers go quiet over the Christmas holidays

Black hats are baddie hackers, white hats are goodies, grey hats will sell IP to kids in hoodies

Survey says one in five security pros have been asked to screw over their employer


Integrating Threat Intelligence into Endpoint Security

While threat intelligence can transform an organization's security posture, it can also be complex and costly for organizations to adopt.

SANS Institute: Cloud Security Survey Results

Over 47 percent of surveyed organizations store sensitive business intelligence and IP in the cloud ... yet in 2018, a quarter of respondents realized security events due to poor configuration and insecure APIs.

Get an Office 365 Experience Your Users Will Love

Office 365 can transform your business, but only if your network is up to the task. Here’s what Microsoft recommends.

The Three Pillars of Komprise

Komprise Intelligent Data Management delivers analytic sdriven data management