Criminals are going to love this one hack which can disable ankle bracelet
Forget the car, safe and garage hacks displayed at the DefCon and Black Hat 2015. A security researcher has figured out a way to hack a rather mundane device that is used to keep a watch on people under house arrest, the ankle bracelet.
Generally, these anklets are location tracking devices that use GPS and other technologies to report the position of people in home detention back to the authorities. Having a series of anti tampering systems usually these devices notify the police authorities the moment someone tries to mess with them.
Presenting a talk at the DEF CON 2015 security conference in Las Vegas, William Turner, also known in hacking circles as AmmonRa, described the way in which the ankle tracking bracelets used by police forces globally can be disabled and allow criminals to run away.
Turner aka AmmonRa performed his test on a sample ankle tracking bracelet supplied by GWG International, a Taiwanese manufacturer. He managed to escape the built-in anti-tampering system of the device and took the bracelet off his foot without activating alerts to police forces and similar authorities.
Turner warned that it’s likely other models could have the same weaknesses, and that the manufacturers should start paying more attention.
“There are issues with these systems, we’d like to think that they’re secure because they’re part of the justice system,” Turner said, “but they’re not perfect by a long shot.”
These device use GPS and radio frequencies to ascertain the position of the person with the anklet, and use mobile networks to send the coordinates back to monitors. Hence, Turner was able to stop the device placed inside a Faraday cage from transmitting data to law enforcement authorities.
Meanwhile, he created a fake phone network inside the Faraday cage so that when he tears the device apart and takes out the SIM card, the device can still send the warning message, and think it was delivered, even though it was sent to the spoofed network.
He was then able to obtain its phone number by sending an SMS to another phone with the SIM card in his phone. He later used this number with an online SMS spoofing service to send fake messages to law authorities, making them look like they are real and coming from that number giving the feeling that the person kept in house arrest was at home, while he is actually fleeing.
It’s not easy for someone who does not have a technical background to pull such a hack, Turner told to Motherboard. But someone who does have technical skills could just make a device that automatically performs this attack, and sell it to people who are under house arrest, he added.
Mr. Turner also said in a statement issued to Motherboard that he did not contact GWG International about their issue, since he has had bad experiences reporting susceptibilities in the past. Moreover, all the companies who sell similar devices, and that he had contacted in the past, did not look interested in helping his research.
“None of the manufacturers really wanted to talk to me about it so I don’t really care,” he said during the talk. “It’s their problem.
Since most of the manufacturers use the same design architecture for their devices, Turner’s methods should theoretically work with other tracking ankle bracelet manufacturers, according to his presentation.
Criminal groups most likely may show interest in Turner’s presentation, because if it is put into practice, it would allow dangerous criminals to escape law enforcement while under house arrest.