back to article 'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

If you want to avoid the cops, or watch deliveries and call-outs by trucks and another vehicles in real-time, well, there's potentially not a lot stopping you. Security researchers have found more than 100,000 internet-facing cellular gateways, some of which broadcast their exact whereabouts to the world. These particular …

Bronze badge

Default Passwords

Changing a default password is not difficult. As you say, it can even be enforced* on 'first boot'.

However, ensuring the new password is recorded properly and securely, and available to all those authorised to use it is rather more tricky. It certainly isn't right, but many take the view that having the password recorded in the documentation is positive, and changing it from the default is a disbenefit. You then also have the fun of deciding who should know the password: is it role-based, so any sysdamin for that system should know it, or should it be account based, so everyone who needs access should have their own account and password (which brings in a whole new level of pain and bureaucracy). Throw in a requirement for accounts to have 2FA, or single sign on, or conform to some other corporate standard or other, and you can understand why some people just keep quiet. It might not be right, but choosing the option that is most likely to give you and easy life here and now, rather than looking for bureaucratic trouble is, not unpredictably, a popular option.

Password and account management is not standard across (IoT) hardware. There may not even be an applicable international standard.

*Unless you do something like break out to a command prompt and bypass the 'first run' script. Not that I have ever done such a thing.

4
0
Silver badge

It should just work

For any other type of product, such as the police car itself, the customer expects it to just work.

It is time the computer industry stopped blaming the customer and made better products.

25
3
Silver badge

Re: It should just work

Oh, so the secret password of all the devices should still be the same for all and not need to be changed?

Oh, make it different for each and write it down for them - that'll work...it'll never leak...

Tun off the functionality? Then it just doesn't work.

People who use the word should be can't point to a working way to do what "should" be done...sigh.

3
8
Silver badge

Re: It should just work

As they say, that's YOUR job. Either JFDI or come up with a Turing-style disproof so you have an alibi to put in front of a judge.

3
1
Silver badge

Re: It should just work

"People who use the word should be can't point to a working way to do what "should" be done...sigh."

Well, from my perspective, the bloody obvious way is for the management software back at home base to manage all the individual passwords for each device. And that should be well locked down. Yes, that home base, locked down solution might also be vulnerable and that mean access to the fleet, but that's still better than the fleet being open to everyone, all of the time.

6
1
WTF?

Re: It should just work

The solution is evident. When a device with a fixed username / password, like user/12345, rolls from the belt or better at the final acceptance test, it is hooked up to a computer that logs in, sets username and password to a random value and prints a label. This should than be enforced by law to convince the beancounters of the world.

The device can than be marketed as "Now with improved security bla bla bla".

3
0
Anonymous Coward

Re: It should just work

... random passwords printed on a label......

isn't that how wifi-routers have been, like, for ages?

4
0
Silver badge

Re: It should just work

It should just work

For any other type of product, such as the police car itself, the customer expects it to just work.

It is time the computer industry stopped blaming the customer and made better products.

No-one should need to learn how to drive and get a drivers license, it should just work.

No-one should have do a mechanic's apprenticeship to become a mechanic, cars should just fix themselves.

No-one should have to go to university for 6 years to become a doctor, health should just work.

No-one should have to spend 1000 hours learning how to fly a plane, it should just work.

No-one should have to learn to read and write, it should just work.

No-one should have to learn to sew, clothes should just patch themselves.

IT and computer devices are still a technical field. People still need to learn some basic IT to use IT devices. Jut because IT is ubiquitous doesn't mean it doesn't (or shouldn't) require some level of knowledge, some learning curve. Do you really expect someone who's never driven a car before to be able to be put behind the wheel of a manual and just drive it around town, knowing the road rules, the techniques (not just steering the car, but how to keep constant speed, what to look out for)?

Why do people expect highly complex, highly technical, devices to require less knowledge and skill to use than getting a drivers license?

4
4

Re: It should just work

That should be enforced BY LAW? Is there anything in your life that you are okay without the government in it?

0
9

Stingray list?

So if I'm understanding it correctly, these things are Stingrays or similar devices (https://en.wikipedia.org/wiki/Stingray_phone_tracker). The EFF has been trying to find out about police using these devices, as their ability to spy on individuals without a warrant is a matter of concern. https://www.eff.org/search/site/stingray

8
1

Re: Stingray list?

The article seems to suggest it's a router to Internet over cellular service, like the hotspot function on your smartphone. One assumes that the admin port on Stingrays is a bit more secure but then we all know how even the things you would expect to be secure, so often aren't.

12
1
Silver badge

Re: Stingray list?

"One assumes that the admin port on Stingrays is a bit more secure"

Not really. Many of these units are loaned to local police departments by the Feds or larger state police forces. With equipment moving back and forth, managing actual unique and secure passwords would be problematic. Never mind switching to non default TCP/IP ports.

And it appears that the location data is available without needing to log in. Just port scan the appropriate IP blocks, find an Internet-facing cellular gateway and the login page has the latitude/longitude.

5
0
Silver badge

Re: Stingray list?

Many of these units are loaned to local police departments by the Feds or larger state police forces.

Typically in that context, "loaning" includes both a device and an operator for said device.

1
0
Silver badge

I have a cradlepoint (cradlepoint.com) device that's a mobile router with a gps receiver. it can conveniently fail-over from ethernet to wifi to 4G for the upstream connection. So yes, a hotspot.

5
0
Anonymous Coward

Why did they have to pull the terrorist card?

"If it weren’t for white hat researchers, we would be finding out about discoveries like this from news media after a terror attack"

No you bloody wouldn't, because if I want to publicise my cause by violent means I will just attack the police station, the address of which I can get from the 1995 phone book.

On the other hand, they could have mentioned how handy knowledge of the position of patrol cars is for burglars of all levels of sophistication. The old fashioned way of doing this was to have associates physically tail the police and report if they were getting close to the area of the crime and/or create a distraction if they did.

That, in my humble view, is an instant and quite unnecessary loss of credibility by the researchers: they may be good with the clickety stuff but comments like the above show no awareness of the wider picture.

10
1
Windows

Re: Why did they have to pull the terrorist card?

"...if I want to publicise my cause by violent means I will just attack the police station, the address of which I can get from the 1995 phone book."

Er, actually, near me in the UK, you'd be blowing up an Aldi, a car park, some new houses, and a large hole in the ground. And more stations are closing soon apparently. We see a patrol car about once a week, and the helicopter flies over when the football is on. Haven't seen an actual police officer walking a beat for five or six years or so.

I live one mile from the centre of a city of 1 million by the way.

18
0

Re: Why did they have to pull the terrorist card?

>1 million.

Birmingham or Manchester? :P

5
1
Silver badge

Re: Why did they have to pull the terrorist card?

"No you bloody wouldn't, because if I want to publicise my cause by violent means I will just attack the police station, the address of which I can get from the 1995 phone book."

Not here in the UK if you want any sort of decent hit rate. Most of those 1995 addresses are bare land, housing estates or anything BUT a police station these days.

10
0
Anonymous Coward

Re: Why did they have to pull the terrorist card?

> Not here in the UK if you want any sort of decent hit rate.

Yes I did think about it. Admittedly, it does make the reconnaissance part a bit more costly than it needs to be, but think about the smugness as they pour through your digital devices looking for planning evidence.

Plus I think the audience will like the retro twist when we sell the film rights.

3
0
Pint

Re: Why did they have to pull the terrorist card?

Brum

Well spotted

4
0
Silver badge

Re: Why did they have to pull the terrorist card?

>No you bloody wouldn't, because if I want to publicise my cause by violent means I will just attack the police station

You have been conditioned into believing that 'terrorism' is confined to mad beardies with suicide belts. But there are more sophisticated terrorists about. Northern Ireland has seen many, many personal attacks on policemen/women - at their homes.

0
0
Silver badge

Default passwords...

They should do a HARD crash if it remains the "default" after a set time (1 week sounds fine). If it remains, reduce by half each subsequent restart until it "bricks" and it won't do anything.

The other suggestion of no functionality until a password is set also sounds good to me.

I am reminded of an operating system from the late 60's that had its system password set to an address that changed with every system generation. You had to look at the listing to figure it out. So, it can be done.

1
3
Silver badge

Re: Default passwords...

Except there will be people who just don't get it and will complain to the point of filing lawsuits for defective products. And some of the complainants will have enough money or connections to cause problems regardless of fault, unless there's some king of law in the books that penalizes "being bloody stupid".

4
3
Bronze badge
Joke

Re: Default passwords...

Maybe it's a user-interface problem?

The people who have such difficulties with passwords tend to be the same people who don't mind having bunches of keys and combination locks protecting stuff that doesn't really need it. So instead of a password, why not have physical Yale and Chubb locks that take actual keys, and a numeric keypad?

7
0
Silver badge

Re: Default passwords...

I'd given a thought to that, actually (BEING SERIOUS HERE). In the old days, some PCs actually had locks on them so that if they're turned one way, the keyboard was disabled. Perhaps they should re-institute the key lock, flip-covered button, or some other form of physical safeguard. It doesn't necessarily have to be high security for this case (though they can be for when necessary like enterprise applications), just not meant to be tripped accidentally AND physically separate from the normal user interface to reduce the chance of click fatigue/zombie action.

4
0
Flame

Re: Default passwords...

Frankly, if someone can't understand or be bothered to carry out a single straightforward instruction, they're a danger to themselves and others and shouldn't be permitted to use the thing.

9
1
Silver badge

Re: Default passwords...

So you're going to demand laws regulating things used in the privacy of their homes? Slippery slope here. At least cars run on government-funded roads.

0
6
Silver badge

Re: Default passwords...

Quote: "So you're going to demand laws regulating things used in the privacy of their homes? Slippery slope here. At least cars run on government-funded roads."

How is this really any different than say gas or electric appliances in a home?

With a home's gas and electric supplies, these are (usually) connecting to public infrastructure. As this is public infrastructure (although typically owned and managed by one or more private companies), you are governed by legislation, to make sure your house is up to standard (up to code), i.e. it's safe, the gas isn't going to leak, your hopefully not going to have an electrical fire etc.

There is very little difference to me, between that, and making sure anything connecting to the public Internet is also 'up-to-code'.

3
2
Silver badge

Re: Default passwords...

Last I checked, though, the Internet can't directly cause a fire and damage neighboring property (including PUBLIC property like the nearby street): allowing an overriding public interest like with the cars. Plus, most Internet infrastructure is privately owned.

0
0
Silver badge

Easy consumer law regulation

Just fine companies some % of turnover for using the same user/pass combination on more than one item.

Even just using digits from the serial number would be safeR than default credentials.

2
0
Anonymous Coward

Re: Easy consumer law regulation

So what happens when (not if) the company finds a legal way to wipe out their turnover?

0
0
Silver badge

Re: Easy consumer law regulation

>So what happens when (not if) the company finds a legal way to wipe out their turnover?

Then they cease to exist. (hint: turnover =/= profit)

1
0
Silver badge

Re: Easy consumer law regulation

"Then they cease to exist. (hint: turnover =/= profit)"

Hint: That's what lawyers and accountants are for. Ever heard of tax avoidance? If it costs less to hide their turnover than to pay the fine, they'll find a way to do it. Worse comes to worse, they'll cajolr the public into changing the laws.

0
0

Why an Internet APN?

I find it interesting that these cellular gateways were connected to a APN that was public Internet. I would have though that the police & fire departments would connect these devices to a APN that connected them to a private network that only those departments could access.

This is what we do with our WAN routers which have 4G failover for the primary MPLS connection. The 4G IP addresses are routable via the MPLS the telco provides us. The PPP AAA from the 4G interface is even routed to our own RADIUS servers so I can set the username, password, IP address the interface gets as well as defining static routes via RADIUS for these connections. We also have some sites that 4G is their only connectivity and they connect this way too. It took a little bit of effort to set this up with the telco in the beginning but it's one of their standard offerings for enterprise customers so it wasn't that hard either. Not exactly rocket science, but we change the default credentials too and apply security updates when required.

2
0
Silver badge
Unhappy

What about the trucks?

Loads of speculation about the police, but from my reading of the article this tracking technology is also used for tracking commercial vehicles. Much used in fleet logistics (though not necessarily all using these dodgy gateways).

In the UK delivery services such as DPD provide live tracking of the delivery van via a web page. So the delivery vans must be updating the central server.

I imagine security vehicles moving cash and other valuables around (such as collection/delivery for banks and major stores) are tracked to the inch. It would be good to know if the huge amounts of cash in transit (other brands of van are available) are being tracked via insecure gateways. Likewise ambulances and fire engines.

Not all these scenarios will be a significant threat, but if you can track a truck known to carry high value cargo this must create opportunities for criminals.

1
0
Silver badge

Re: What about the trucks?

If a cargo is REALLY high value, it's bound to have guards and other safeguards (such as using an armored truck). It's very hard to transport something very valuable very secretly. Even if you try obfuscation, you can never rule out the possibility of moles.

0
1
Silver badge

On the plus side

They should be able to find everyone to tell them to upgrade their software!

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018