back to article 'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

If you want to avoid the cops, or watch deliveries and call-outs by trucks and another vehicles in real-time, well, there's potentially not a lot stopping you. Security researchers have found more than 100,000 internet-facing cellular gateways, some of which broadcast their exact whereabouts to the world. These particular …

Page:

  1. jake Silver badge

    Default passwords? In this day and age?

    The '70s on line one, something about wanting their vulnerabilities back.

    Seriously, I know marketing runs everything these days, but Shirley even those dumb-fucks should have put this one to bed by now!

    (I won't bother to address the rest of the bumbling mistakes. You're quite welcome.)

    1. Kanhef

      Re: Default passwords? In this day and age?

      And not only that, but 12345? Have people not seen Space Balls?

      1. Steve Knox

        Re: Default passwords? In this day and age?

        What!? They've hacked my luggage!?

        1. IceC0ld

          Re: Default passwords? In this day and age?

          Since then more than 13,500 warning notes have been sent out to people making and operating exposed equipment, we're told, with two replies were received

          ==

          13 500 out

          TWO back

          shows the level of interest people seem to have for infosec :o(

          1. Anonymous Coward
            Anonymous Coward

            Re: Default passwords? In this day and age?

            Or understanding. If you can't understand what is being talked about, how can you judge its importance?

            And, unfortunately, boiling it down to "we can track your police cars in real-time" will likely get a knee-jerkshot response.

          2. Alan Brown Silver badge

            Re: Default passwords? In this day and age?

            "13 500 out

            TWO back"

            Based on past attempts to send out warning notes for stuff like this:

            1: I'm surprised that it was that many

            2: I'm also surprised the replies weren't threats to sue

            3: I wouldn't be at all surprised if someone uses this as fodder for some control-freak law making scanning for vulnerabliities illegal, instead of addressing the actual problem.

            Seriously, it's far more common for organisations and individuals to respond to this kind of warning by shooting the messenger than by sending a thank you note.

            1. jake Silver badge

              Re: Default passwords? In this day and age?

              These days they don't bother shooting the messenger. Instead, their minds turn off because "technical", and they ignore it as obviously not applicable to them. Presumably they expect TehIntraWebTubes equivalent of "a little man" will be 'round shortly to sort it ... If they think past the delete button, that is.

            2. Marcus Fil
              Pint

              Re: Default passwords? In this day and age?

              I have been that shot messenger - followed a week later by an apology and a request for assistance in securing information and a request to know how I had discovered what I discovered. I did not them all the details on the last issue, but enough to show easy it all is.

              Sadly, we need design and implementation standards- backed up with laws and harsh penalties applying to manufacturers, importers, suppliers and system integrators. We cannot trust joe public (or even local law enforcement) to understand the issues.

              Banks and other organisations are starting to tell people to be more careful on the interfaces which cannot be secured by technology alone, but sadly ~50% of the population will always be below average intelligence.

              A pint of beer for the 'white hats'. A pint of piss for the lazy implementers.

              1. Doctor Syntax Silver badge

                Re: Default passwords? In this day and age?

                "Sadly, we need design and implementation standards- backed up with laws and harsh penalties applying to manufacturers, importers, suppliers and system integrators."

                Worth a thousand upvotes.

                "Banks and other organisations are starting to tell people to be more careful"

                I'm not convinced of this. Those I've dealt with persist in training their customers to be phished by sending out emails inviting them to click on links, some of which require logins.

                1. Terry 6 Silver badge

                  Re: Default passwords? In this day and age?

                  sending out emails inviting them to click on links, some of which require logins..

                  Worse, the emails (from the banks) often have messages that sound more like scams than the real scams do - as in "Click here for news about your account" type messages

              2. 404

                that shot messenger...

                .. Yeah I don't do that any longer...

                I know where a county sheriff's operations server is just hanging out there wide open - ah ain't a-sayin' shite... They don't like me anyways.

                It's NOT worth the hassle.

              3. Mark 85

                Re: Default passwords? In this day and age?

                A pint of piss for the lazy implementers.

                It's not lazy, it's about cost and corporate profit. A few cents here, a few cents there, and pretty soon, the shareholder value takes a hit. Public agencies don't answer to corporate bosses but taxpayers and no taxpayer wants taxes raised to "fix" IT stuff since they don't understand it. <sigh> There's the right thing to do and the corporate/public agency thing to do. One would hope that the corporations and public agencies would for once do the right thing.

                1. theblackhand

                  Re: Default passwords? In this day and age?

                  "It's not lazy, it's about cost and corporate profit. A few cents here, a few cents there, and pretty soon, the shareholder value takes a hit. Public agencies don't answer to corporate bosses but taxpayers and no taxpayer wants taxes raised to "fix" IT stuff since they don't understand it."

                  In many cases, the issue is poor planning and a lack of time to fully implement plans - we want to create/configure/deploy A with features W, X, Y and Z. By the time A is in production Y and Z are mostly done, X is on the to do list and W is forgotten about.

                  While this can be seen as a cost issue (if only we'd employed more people or taken more time to plan properly), in many cases this isn't apparent until long after the damage is done. Treating it as a corporate profit issue ignores the other cultural issues that result in these types of security problems.

                  Changing a default password is more likely to have been either a lack of product knowledge or a lack of simple security knowledge ("change any default passwords to something more secure"). Given the number of organisations affected, I'm frankly astonished that somebody within the organisations didn't question the lack of security.

              4. eldakka

                Re: Default passwords? In this day and age?

                ... but sadly ~50% of the population will always be below average intelligence.

                I think you mean median intelligence ;)

                1. dajames

                  Average

                  I think you mean median intelligence ;)

                  OK, I missed the wink of your smiley, you probably don't deserve the downvote I just gave you, but this particular piece of nit-picking gets my goat.

                  BUT you do realize, of course that the median is just one of the statistical values that are grenerally referred to a as the "average" -- see Wikipedia -- so the remark that "50% of the population will always be below average intelligence" is true because "average" can mean "median".

                  Then again, the distribution of intelligence in the population approximates to a bell-curve (a normal distribution) and one characteristic of the normal distribution is that the mean and the median have the same value. So, again, "50% of the population will always be below average intelligence" holds true.

                  But it's not really worth this debate. The remark is a joke that should pass without comment. 50% of anything will be below "average" (for some value of average), but that's not the point -- the point is that we all tend to forget how stupid some people can be, and it's worth having a bon mot like this to remind us.

              5. thepenisyoulove

                Re: Default passwords? In this day and age?

                NO! I don’t want more government in my life to treat me like I’m a kid. These people who set this up did not change their default username and password. That’s their fault for being lazy or dumb. And now they are going to pay the price of being lazy or dumb. While i agree the design of the application was poor to not force then to change the default, bringing the government into the mix isn’t the solution. Why do all you people think government is the solution to everything?

                1. strum

                  Re: Default passwords? In this day and age?

                  >Why do all you people think government is the solution to everything?

                  Why do you think a corporation is the answer to anything?

              6. Anonymous Coward
                Anonymous Coward

                Cops doing they best, unfortunately

                I was on a jury a few years back, police technical witness asked about the accused mobile phone described all the tools they had for taking a forensic image to prove what calls and texts were made and received on the night of the incident and that they did not confirm the accused story that a certain number was sent to them as a contact. Defense stepped up and asked were those tools used? (yes) and did they show that the number had been dialed on that night? (no, because the police officer couldn't get them to work and in fact had no evidence that either sides story was correct) *sigh*

                1. Graham 32

                  Re: Cops doing they best, unfortunately

                  @AC "I was on a jury a few years back..."

                  Don't they just ask the phone network what calls were made? I'd expect that to be much easier to do and have more reliable results.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Cops doing they best, unfortunately

                    @ Graham 32 - "Don't they just ask the phone network what calls were made?"

                    What annoys me most, and seems often to be overlooked, is that without a voice recording of those same calls, there is no proof that a particular person (generally the "owner" of the phone) actually made the calls. Same with location of the phone being tracked (assuming the "owner" was with it), and similarly about text messages or internet use.

                    Someone else may frame a person if they get access to the phone, or possibly access to the SIM. For location, just leaving a phone by accident or design could suggest the movements of a person when s/he went nowhere near the phone during several minutes / hours / days etc. For example, making it appear the "owner" went to a store, whilst actually staying back to do something (murder?).

                    (In case anyone wonders, I used "owner" because if a phone is being bought over a period with a finance agreement, the buyer might not legally be the owner, until the completion of payments.

          3. Roland6 Silver badge

            Re: Default passwords? In this day and age?

            >shows the level of interest people seem to have for infosec

            Not really. However, it would be interesting for the scan to be repeated in 90 days to get an indication of how many have actually been changed - that would perhaps be a better indication of just how much attention people/organisations actually give to security disclosures...

      2. Anonymous Coward
        Anonymous Coward

        Re: Default passwords? In this day and age?

        I wish the AS/400 I occasionally support had default passwords. Bastard thing.

    2. Doctor Syntax Silver badge

      Re: Default passwords? In this day and age?

      " know marketing runs everything these days, but Shirley even those dumb-fucks should have put this one to bed by now!"

      You seriously underestimate marketing.

  2. Chairman of the Bored

    Then again...

    ...this is an own goal for the same team who deploys mass surveillance technologies such as automatic plate recognition under the claim that "if you are driving a vehicle in public you have no reasonable expectation of privacy". Turnabout time, baby.

    1. ecofeco Silver badge
      Facepalm

      Re: Then again...

      Right? Cops wanted mass surveillance and they got it. They just didn't think they would also be victims of it.

  3. Will Godfrey Silver badge
    Black Helicopters

    Oops

    Although plod might not have known about this I expect the spooks did, and are probably not very happy it's gone public.

    1. dajames

      Re: Oops

      Although plod might not have known about this I expect the spooks did, and are probably not very happy it's gone public.

      On the other hand, it enables them to argue that off-the-shelf solutions are not sufficiently secure for their own use, and they should have a bigger budget to enable them to specify their own systems and have them built ...

      ... and it enables them to argue that there is a vast untapped ocean of information about the movement of others that they are not yet tapping, and they need a bigger budget for that too!

    2. Dr Dan Holdsworth

      Re: Oops

      Actually it has been known for quite a long time that in the UK at least, the police radios were operating on a set of frequencies that nothing else was permitted to use. Now, certain TV receivers can be repurposed as software defined radios, and whilst these cannot decode police radio transmissions, they can determine the strength of these transmissions and use the strength to determine the distance of the transmitter.

      If you are a criminal about to do something naughty, such a McGuffin is a very useful piece of kit, since it warns you if there is a police officer (or rather, a police radio unit presumably closely associated with a police officer) in the immediate vicinity. If this is the case, then the prospective scofflaw can alternatively choose not to break the law whilst in the presence of police officers.

      The devices are marketed in the UK via the usual shady channels, and are described as a way of knowing if emergency vehicles are in the vicinity so that the user can get out of their way. The use of the things is described as "Being in a grey area", which approximates to "If a police officer catches some twerp with one, search the suspicious probable felon and his car immediately and obtain warrants to search his home forthwith".

  4. Wellyboot Silver badge
    Facepalm

    Home Address?

    “What happens when people go after police officers because they know where they live"

    I would expect the only police officers taking cars home after work will be living in very rural parts of the US and half the county probably knows where Deputy Dawg lives already. everywhere else the car will be back in the pool for the next shift.

    The map is a bit small to show, but I'll guess there aren't any police vehicles in Northern Ireland using this out of the box. A properly organized terrorist like the PIRA (not the current nutjobs looking for paradise) would have loved this level of tracking ability, they'd have been playing pacman for real.

    Now, are there any Italian gold bullion transports using this? I have a plan involving very small cars.

    1. Andy Non Silver badge

      Re: Home Address?

      "Now, are there any Italian gold bullion transports using this? I have a plan involving very small cars."

      Remember, you are only supposed to blow the bloody doors off.

    2. Chairman of the Bored

      Re: Home Address?

      Oddly enough, of the places I've lived in the US the only places I've seen where the police drive marked cars home are the relatively large and prosperous bedroom communities around Washington and New York.

      The theory is that this deters crime. The reality is twofold: it makes the cop's house a target for petty vandalism when the car is not present, and it makes for a lot of whining about 'lazy ass gub'mpnit workers, never on the job' when the car is present

      I'm in the boonies now and the theory is that money is tight and we cannot afford the luxury of one car per patrolman, so the car goes with the shift, not the man. I'm ok with that.

      BUT! That said we apparently have enough cash for a plate camera on every traffic light and damned near every lamp post.

      Annnnd, if you drive near the sheriff's office your cellular will on occasion get pushed down to 2G suddenly ...with no network connectivity and a cell ID that is unique and nonsensical... despite ample 4G signal. Sometimes this happens near their 'inicident command post' SUV.

      1. thepenisyoulove

        Re: Home Address?

        Are you sure this isn’t chapter from a utopian science fiction novel?

    3. James O'Shea

      Re: Home Address?

      "I would expect the only police officers taking cars home after work will be living in very rural parts of the US and half the county probably knows where Deputy Dawg lives already. everywhere else the car will be back in the pool for the next shift."

      Ah... no. Here in Deepest South Florida it is _very_ common for cops to take their vehicles home with them. One local housing development I know of has, on one road ('Azalea Circle') at least three Palm Beach County Sheriff's Deputies, one each Miami-Dade and Broward County Sheriff's Deputy, and one each West Palm Beach, Royal Palm Beach, Boynton Beach, and Ft. Lauderdale police officers, plus one Florida Highway Patrol, one Florida Fish and Wildlife, and one Federal Border Patrol cop. Those would just be the marked cars. There are also several cars with yellow 'state', 'county', and 'city' and white US Gov license plates, but those might not be cops, just civil servants. Two of the PBCS deputies live next door to each other. The Ft. Lauderdale cop and the Broward deputy live opposite to each other. Two of the US Gov plated cars are parked by houses on the same block as the Border Patrol cop. No doubt there are lots of unmarked cars which don't have yellow plates.

    4. doke

      Re: Home Address?

      I've been told many apartment complexes around here offer discounted rent to police officers who frequently bring home a marked car. The complex wants the crime deterrent.

      1. Anonymous Coward
        Anonymous Coward

        Re: Home Address?

        Back in the 80s at NATO HQ in Belgium.

        We were supposed to buy unmarked local cars to avoid being obvious targets for IRA / RAF attacks.

        Unfortunately HQ had a deal with some local car dealer so everyone got identical white Merc E class, with local plates but every window covered in brightly coloured NATO parking passes.

        Since everyone lived in the same few suburbs it made a target you could see from orbit.

  5. ecofeco Silver badge
    Mushroom

    It's almost like...

    ... most of the Internet was designed and built in the cheapest way possible by the least competent companies run by people who think grifting is good business.

    1. jake Silver badge

      Re: It's almost like...

      This isn't about TehIntraWebTubes, per se, rather it's some more fine examples of IoT, and the mentality that drives it.

      1. deive

        Re: It's almost like...

        I'd go further than that and day it is a central tenant of capitalism, to maximise returns to investors produce the bare minimum you can get away with.

        1. Doctor Syntax Silver badge

          Re: It's almost like...

          "produce the bare minimum you can get away with."

          Which is why, as per a comment above, we need regulation to raise that bare minimum to something adequate.

          1. Charles 9

            Re: It's almost like...

            The government is fair game in caiptalism, too. You bribe, cajole, or vote in the most cooperative government you can. If all else fails, you bail out.

          2. thepenisyoulove

            Re: It's almost like...

            Government to the rescue! I can’t figure out how to change a password, please mommy government please spoon feed me and punish the guilty. More laws and more regulation surely fixed everything!

    2. fredj

      Re: It's almost like...

      Please don't forget the great British customer. They really know how to find a bargain even if they are clueless about what they are buying.

      I once worked for a company that bought a dedicated word processor for the price of half a dozen houses just as the first versions of MS office were hitting our desks. It was switched on once after the initialisation and very expensive training. (I did say told you so but was promptly told to shut up)

      Sorry, off subject but that is what you have to cope with when it comes to computer use.

      1. John Brown (no body) Silver badge

        Re: It's almost like...

        "Sorry, off subject but that is what you have to cope with when it comes to computer use."

        Sounds like a typical "no one ever got fired for buying IBM" moment :-)

  6. John Smith 19 Gold badge
    FAIL

    GPS location on the router home page.

    For PHB who are think the SoA in vehicle tracking is "I got a tab for every car. I just go to it and there's its position."

    unfu**ingbelieveable.

    Now the default password is not necessarily an issue.

    Provided (after you use it) it says "For security reasons please change this password to your preferred password, and record the new one in a safe place."

    The first bit should be easy. It's usually the latter (and tracking all of them together) where it get tricky.

    1. Doctor Syntax Silver badge

      Re: GPS location on the router home page.

      Now the default password is not necessarily an issue.

      Provided (after you use it) it says "For security reasons please change this password to your preferred password, and record the new one in a safe place."

      Not quite enough. The default password should only get you into a screen that says "For security reasons please change this password to your preferred secure password, and record the new one in a safe place. YOUR DEVICE WILL NOT BECOME OPERATIONAL UNTIL YOU DO THIS." And enforce minimum standards on acceptable passwords.

      1. Charles 9

        Re: GPS location on the router home page.

        No good. Too many complaints. AND some of them have enough money to cause trouble. If you can't make it turnkey, you're not doing it right.

        1. Pascal Monett Silver badge

          Security is not turnkey. It's time we stop people from putting wide-open stuff on the web.

          And please, don't tell me that you can't just type in some characters in a page. It's not that difficult.

          1. rmason

            @Pascal Monett

            He/We know that.

            What he means is many companies would actually see this as a downside, and go with the "easier to use" competitor.

          2. Norman Nescio Silver badge

            Default Passwords

            Changing a default password is not difficult. As you say, it can even be enforced* on 'first boot'.

            However, ensuring the new password is recorded properly and securely, and available to all those authorised to use it is rather more tricky. It certainly isn't right, but many take the view that having the password recorded in the documentation is positive, and changing it from the default is a disbenefit. You then also have the fun of deciding who should know the password: is it role-based, so any sysdamin for that system should know it, or should it be account based, so everyone who needs access should have their own account and password (which brings in a whole new level of pain and bureaucracy). Throw in a requirement for accounts to have 2FA, or single sign on, or conform to some other corporate standard or other, and you can understand why some people just keep quiet. It might not be right, but choosing the option that is most likely to give you and easy life here and now, rather than looking for bureaucratic trouble is, not unpredictably, a popular option.

            Password and account management is not standard across (IoT) hardware. There may not even be an applicable international standard.

            *Unless you do something like break out to a command prompt and bypass the 'first run' script. Not that I have ever done such a thing.

    2. GeekyDee

      Re: GPS location on the router home page.

      The first bit should be easy. It's usually the latter (and tracking all of them together) where it get tricky.

      Easy, seed with long passcode through a proper algorithm using the serial number/device name/etc. and spit out a somewhat secure password, not the greatest but better than default and easily tracked down/ recreated if needed

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like