back to article 'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

If you want to avoid the cops, or watch deliveries and call-outs by trucks and another vehicles in real-time, well, there's potentially not a lot stopping you. Security researchers have found more than 100,000 internet-facing cellular gateways, some of which broadcast their exact whereabouts to the world. These particular …

Silver badge

Default passwords? In this day and age?

The '70s on line one, something about wanting their vulnerabilities back.

Seriously, I know marketing runs everything these days, but Shirley even those dumb-fucks should have put this one to bed by now!

(I won't bother to address the rest of the bumbling mistakes. You're quite welcome.)

54
2

Re: Default passwords? In this day and age?

And not only that, but 12345? Have people not seen Space Balls?

74
0
Silver badge

Re: Default passwords? In this day and age?

What!? They've hacked my luggage!?

64
1
Bronze badge

Re: Default passwords? In this day and age?

Since then more than 13,500 warning notes have been sent out to people making and operating exposed equipment, we're told, with two replies were received

==

13 500 out

TWO back

shows the level of interest people seem to have for infosec :o(

82
0
Anonymous Coward

Re: Default passwords? In this day and age?

Or understanding. If you can't understand what is being talked about, how can you judge its importance?

And, unfortunately, boiling it down to "we can track your police cars in real-time" will likely get a knee-jerkshot response.

53
0
Silver badge

Re: Default passwords? In this day and age?

"13 500 out

TWO back"

Based on past attempts to send out warning notes for stuff like this:

1: I'm surprised that it was that many

2: I'm also surprised the replies weren't threats to sue

3: I wouldn't be at all surprised if someone uses this as fodder for some control-freak law making scanning for vulnerabliities illegal, instead of addressing the actual problem.

Seriously, it's far more common for organisations and individuals to respond to this kind of warning by shooting the messenger than by sending a thank you note.

76
0
Silver badge

Re: Default passwords? In this day and age?

These days they don't bother shooting the messenger. Instead, their minds turn off because "technical", and they ignore it as obviously not applicable to them. Presumably they expect TehIntraWebTubes equivalent of "a little man" will be 'round shortly to sort it ... If they think past the delete button, that is.

24
1
Pint

Re: Default passwords? In this day and age?

I have been that shot messenger - followed a week later by an apology and a request for assistance in securing information and a request to know how I had discovered what I discovered. I did not them all the details on the last issue, but enough to show easy it all is.

Sadly, we need design and implementation standards- backed up with laws and harsh penalties applying to manufacturers, importers, suppliers and system integrators. We cannot trust joe public (or even local law enforcement) to understand the issues.

Banks and other organisations are starting to tell people to be more careful on the interfaces which cannot be secured by technology alone, but sadly ~50% of the population will always be below average intelligence.

A pint of beer for the 'white hats'. A pint of piss for the lazy implementers.

44
2
Silver badge

Re: Default passwords? In this day and age?

" know marketing runs everything these days, but Shirley even those dumb-fucks should have put this one to bed by now!"

You seriously underestimate marketing.

32
0
Silver badge

Re: Default passwords? In this day and age?

"Sadly, we need design and implementation standards- backed up with laws and harsh penalties applying to manufacturers, importers, suppliers and system integrators."

Worth a thousand upvotes.

"Banks and other organisations are starting to tell people to be more careful"

I'm not convinced of this. Those I've dealt with persist in training their customers to be phished by sending out emails inviting them to click on links, some of which require logins.

27
1
404
Silver badge

that shot messenger...

.. Yeah I don't do that any longer...

I know where a county sheriff's operations server is just hanging out there wide open - ah ain't a-sayin' shite... They don't like me anyways.

It's NOT worth the hassle.

19
0
Silver badge

Re: Default passwords? In this day and age?

A pint of piss for the lazy implementers.

It's not lazy, it's about cost and corporate profit. A few cents here, a few cents there, and pretty soon, the shareholder value takes a hit. Public agencies don't answer to corporate bosses but taxpayers and no taxpayer wants taxes raised to "fix" IT stuff since they don't understand it. <sigh> There's the right thing to do and the corporate/public agency thing to do. One would hope that the corporations and public agencies would for once do the right thing.

11
2
Silver badge

Re: Default passwords? In this day and age?

sending out emails inviting them to click on links, some of which require logins..

Worse, the emails (from the banks) often have messages that sound more like scams than the real scams do - as in "Click here for news about your account" type messages

14
0

Re: Default passwords? In this day and age?

"It's not lazy, it's about cost and corporate profit. A few cents here, a few cents there, and pretty soon, the shareholder value takes a hit. Public agencies don't answer to corporate bosses but taxpayers and no taxpayer wants taxes raised to "fix" IT stuff since they don't understand it."

In many cases, the issue is poor planning and a lack of time to fully implement plans - we want to create/configure/deploy A with features W, X, Y and Z. By the time A is in production Y and Z are mostly done, X is on the to do list and W is forgotten about.

While this can be seen as a cost issue (if only we'd employed more people or taken more time to plan properly), in many cases this isn't apparent until long after the damage is done. Treating it as a corporate profit issue ignores the other cultural issues that result in these types of security problems.

Changing a default password is more likely to have been either a lack of product knowledge or a lack of simple security knowledge ("change any default passwords to something more secure"). Given the number of organisations affected, I'm frankly astonished that somebody within the organisations didn't question the lack of security.

6
0
Silver badge

Re: Default passwords? In this day and age?

>shows the level of interest people seem to have for infosec

Not really. However, it would be interesting for the scan to be repeated in 90 days to get an indication of how many have actually been changed - that would perhaps be a better indication of just how much attention people/organisations actually give to security disclosures...

6
0
Silver badge

Re: Default passwords? In this day and age?

... but sadly ~50% of the population will always be below average intelligence.

I think you mean median intelligence ;)

2
3
Silver badge

Average

I think you mean median intelligence ;)

OK, I missed the wink of your smiley, you probably don't deserve the downvote I just gave you, but this particular piece of nit-picking gets my goat.

BUT you do realize, of course that the median is just one of the statistical values that are grenerally referred to a as the "average" -- see Wikipedia -- so the remark that "50% of the population will always be below average intelligence" is true because "average" can mean "median".

Then again, the distribution of intelligence in the population approximates to a bell-curve (a normal distribution) and one characteristic of the normal distribution is that the mean and the median have the same value. So, again, "50% of the population will always be below average intelligence" holds true.

But it's not really worth this debate. The remark is a joke that should pass without comment. 50% of anything will be below "average" (for some value of average), but that's not the point -- the point is that we all tend to forget how stupid some people can be, and it's worth having a bon mot like this to remind us.

11
3

Re: Default passwords? In this day and age?

NO! I don’t want more government in my life to treat me like I’m a kid. These people who set this up did not change their default username and password. That’s their fault for being lazy or dumb. And now they are going to pay the price of being lazy or dumb. While i agree the design of the application was poor to not force then to change the default, bringing the government into the mix isn’t the solution. Why do all you people think government is the solution to everything?

1
3
Anonymous Coward

Cops doing they best, unfortunately

I was on a jury a few years back, police technical witness asked about the accused mobile phone described all the tools they had for taking a forensic image to prove what calls and texts were made and received on the night of the incident and that they did not confirm the accused story that a certain number was sent to them as a contact. Defense stepped up and asked were those tools used? (yes) and did they show that the number had been dialed on that night? (no, because the police officer couldn't get them to work and in fact had no evidence that either sides story was correct) *sigh*

1
0

Re: Cops doing they best, unfortunately

@AC "I was on a jury a few years back..."

Don't they just ask the phone network what calls were made? I'd expect that to be much easier to do and have more reliable results.

0
0
Anonymous Coward

Re: Default passwords? In this day and age?

I wish the AS/400 I occasionally support had default passwords. Bastard thing.

1
0
Silver badge

Re: Default passwords? In this day and age?

>Why do all you people think government is the solution to everything?

Why do you think a corporation is the answer to anything?

1
0
Anonymous Coward

Re: Cops doing they best, unfortunately

@ Graham 32 - "Don't they just ask the phone network what calls were made?"

What annoys me most, and seems often to be overlooked, is that without a voice recording of those same calls, there is no proof that a particular person (generally the "owner" of the phone) actually made the calls. Same with location of the phone being tracked (assuming the "owner" was with it), and similarly about text messages or internet use.

Someone else may frame a person if they get access to the phone, or possibly access to the SIM. For location, just leaving a phone by accident or design could suggest the movements of a person when s/he went nowhere near the phone during several minutes / hours / days etc. For example, making it appear the "owner" went to a store, whilst actually staying back to do something (murder?).

(In case anyone wonders, I used "owner" because if a phone is being bought over a period with a finance agreement, the buyer might not legally be the owner, until the completion of payments.

1
0
Silver badge

Then again...

...this is an own goal for the same team who deploys mass surveillance technologies such as automatic plate recognition under the claim that "if you are driving a vehicle in public you have no reasonable expectation of privacy". Turnabout time, baby.

67
0
Silver badge
Facepalm

Re: Then again...

Right? Cops wanted mass surveillance and they got it. They just didn't think they would also be victims of it.

64
0
Silver badge
Black Helicopters

Oops

Although plod might not have known about this I expect the spooks did, and are probably not very happy it's gone public.

49
0
Silver badge

Re: Oops

Although plod might not have known about this I expect the spooks did, and are probably not very happy it's gone public.

On the other hand, it enables them to argue that off-the-shelf solutions are not sufficiently secure for their own use, and they should have a bigger budget to enable them to specify their own systems and have them built ...

... and it enables them to argue that there is a vast untapped ocean of information about the movement of others that they are not yet tapping, and they need a bigger budget for that too!

2
1
Silver badge

Re: Oops

Actually it has been known for quite a long time that in the UK at least, the police radios were operating on a set of frequencies that nothing else was permitted to use. Now, certain TV receivers can be repurposed as software defined radios, and whilst these cannot decode police radio transmissions, they can determine the strength of these transmissions and use the strength to determine the distance of the transmitter.

If you are a criminal about to do something naughty, such a McGuffin is a very useful piece of kit, since it warns you if there is a police officer (or rather, a police radio unit presumably closely associated with a police officer) in the immediate vicinity. If this is the case, then the prospective scofflaw can alternatively choose not to break the law whilst in the presence of police officers.

The devices are marketed in the UK via the usual shady channels, and are described as a way of knowing if emergency vehicles are in the vicinity so that the user can get out of their way. The use of the things is described as "Being in a grey area", which approximates to "If a police officer catches some twerp with one, search the suspicious probable felon and his car immediately and obtain warrants to search his home forthwith".

1
0
Silver badge
Facepalm

Home Address?

“What happens when people go after police officers because they know where they live"

I would expect the only police officers taking cars home after work will be living in very rural parts of the US and half the county probably knows where Deputy Dawg lives already. everywhere else the car will be back in the pool for the next shift.

The map is a bit small to show, but I'll guess there aren't any police vehicles in Northern Ireland using this out of the box. A properly organized terrorist like the PIRA (not the current nutjobs looking for paradise) would have loved this level of tracking ability, they'd have been playing pacman for real.

Now, are there any Italian gold bullion transports using this? I have a plan involving very small cars.

75
2

Re: Home Address?

"Now, are there any Italian gold bullion transports using this? I have a plan involving very small cars."

Remember, you are only supposed to blow the bloody doors off.

53
0
Silver badge

Re: Home Address?

Oddly enough, of the places I've lived in the US the only places I've seen where the police drive marked cars home are the relatively large and prosperous bedroom communities around Washington and New York.

The theory is that this deters crime. The reality is twofold: it makes the cop's house a target for petty vandalism when the car is not present, and it makes for a lot of whining about 'lazy ass gub'mpnit workers, never on the job' when the car is present

I'm in the boonies now and the theory is that money is tight and we cannot afford the luxury of one car per patrolman, so the car goes with the shift, not the man. I'm ok with that.

BUT! That said we apparently have enough cash for a plate camera on every traffic light and damned near every lamp post.

Annnnd, if you drive near the sheriff's office your cellular will on occasion get pushed down to 2G suddenly ...with no network connectivity and a cell ID that is unique and nonsensical... despite ample 4G signal. Sometimes this happens near their 'inicident command post' SUV.

19
0
Silver badge

Re: Home Address?

"I would expect the only police officers taking cars home after work will be living in very rural parts of the US and half the county probably knows where Deputy Dawg lives already. everywhere else the car will be back in the pool for the next shift."

Ah... no. Here in Deepest South Florida it is _very_ common for cops to take their vehicles home with them. One local housing development I know of has, on one road ('Azalea Circle') at least three Palm Beach County Sheriff's Deputies, one each Miami-Dade and Broward County Sheriff's Deputy, and one each West Palm Beach, Royal Palm Beach, Boynton Beach, and Ft. Lauderdale police officers, plus one Florida Highway Patrol, one Florida Fish and Wildlife, and one Federal Border Patrol cop. Those would just be the marked cars. There are also several cars with yellow 'state', 'county', and 'city' and white US Gov license plates, but those might not be cops, just civil servants. Two of the PBCS deputies live next door to each other. The Ft. Lauderdale cop and the Broward deputy live opposite to each other. Two of the US Gov plated cars are parked by houses on the same block as the Border Patrol cop. No doubt there are lots of unmarked cars which don't have yellow plates.

3
0

Re: Home Address?

I've been told many apartment complexes around here offer discounted rent to police officers who frequently bring home a marked car. The complex wants the crime deterrent.

11
0
Anonymous Coward

Re: Home Address?

Back in the 80s at NATO HQ in Belgium.

We were supposed to buy unmarked local cars to avoid being obvious targets for IRA / RAF attacks.

Unfortunately HQ had a deal with some local car dealer so everyone got identical white Merc E class, with local plates but every window covered in brightly coloured NATO parking passes.

Since everyone lived in the same few suburbs it made a target you could see from orbit.

12
0

Re: Home Address?

Are you sure this isn’t chapter from a utopian science fiction novel?

1
0
Silver badge
Mushroom

It's almost like...

... most of the Internet was designed and built in the cheapest way possible by the least competent companies run by people who think grifting is good business.

29
8
Silver badge

Re: It's almost like...

This isn't about TehIntraWebTubes, per se, rather it's some more fine examples of IoT, and the mentality that drives it.

29
2

Re: It's almost like...

I'd go further than that and day it is a central tenant of capitalism, to maximise returns to investors produce the bare minimum you can get away with.

18
0
Silver badge

Re: It's almost like...

"produce the bare minimum you can get away with."

Which is why, as per a comment above, we need regulation to raise that bare minimum to something adequate.

20
2

Re: It's almost like...

Please don't forget the great British customer. They really know how to find a bargain even if they are clueless about what they are buying.

I once worked for a company that bought a dedicated word processor for the price of half a dozen houses just as the first versions of MS office were hitting our desks. It was switched on once after the initialisation and very expensive training. (I did say told you so but was promptly told to shut up)

Sorry, off subject but that is what you have to cope with when it comes to computer use.

15
1
Silver badge

Re: It's almost like...

The government is fair game in caiptalism, too. You bribe, cajole, or vote in the most cooperative government you can. If all else fails, you bail out.

6
0
Silver badge

Re: It's almost like...

"Sorry, off subject but that is what you have to cope with when it comes to computer use."

Sounds like a typical "no one ever got fired for buying IBM" moment :-)

7
0

Re: It's almost like...

Government to the rescue! I can’t figure out how to change a password, please mommy government please spoon feed me and punish the guilty. More laws and more regulation surely fixed everything!

0
6

This post has been deleted by a moderator

Gold badge
FAIL

GPS location on the router home page.

For PHB who are think the SoA in vehicle tracking is "I got a tab for every car. I just go to it and there's its position."

unfu**ingbelieveable.

Now the default password is not necessarily an issue.

Provided (after you use it) it says "For security reasons please change this password to your preferred password, and record the new one in a safe place."

The first bit should be easy. It's usually the latter (and tracking all of them together) where it get tricky.

6
3
Silver badge

Re: GPS location on the router home page.

Now the default password is not necessarily an issue.

Provided (after you use it) it says "For security reasons please change this password to your preferred password, and record the new one in a safe place."

Not quite enough. The default password should only get you into a screen that says "For security reasons please change this password to your preferred secure password, and record the new one in a safe place. YOUR DEVICE WILL NOT BECOME OPERATIONAL UNTIL YOU DO THIS." And enforce minimum standards on acceptable passwords.

43
0
Silver badge

Re: GPS location on the router home page.

No good. Too many complaints. AND some of them have enough money to cause trouble. If you can't make it turnkey, you're not doing it right.

6
6
Silver badge

Security is not turnkey. It's time we stop people from putting wide-open stuff on the web.

And please, don't tell me that you can't just type in some characters in a page. It's not that difficult.

8
0

Re: GPS location on the router home page.

The first bit should be easy. It's usually the latter (and tracking all of them together) where it get tricky.

Easy, seed with long passcode through a proper algorithm using the serial number/device name/etc. and spit out a somewhat secure password, not the greatest but better than default and easily tracked down/ recreated if needed

1
0
Silver badge

@Pascal Monett

He/We know that.

What he means is many companies would actually see this as a downside, and go with the "easier to use" competitor.

2
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018