Consumer-Grade GPS Tracking Devices: When Dual-Use Implies Abuse

After hours of driving and hiking along a ridge in a state park, I’d found a well-secluded spot to set up camp in the middle of the woods. Three states from home and not even visible from the trail, I was ready for some well-deserved relaxation where no one could find me.

No one, except for the GPS tracker in my pack.

As large as a Zippo lighter, the device had observed my entire road trip, using GSM to periodically upload location information to backend servers for later perusal. And that’s just the basic functionality. If someone knew its phone number and authentication pin (the super-secure default: 123456) they could tweak other device settings, and even call in to eavesdrop on conversations using the device’s microphone.

All it cost me is about $20 for the device, and $25 for a 2G pre-paid SIM.

Enter the world of consumer-grade GPS spying devices. Thanks to the ubiquity of the cellular network and cheap GPS radio chips, there are a wide range of off-the-shelf trackers for pets, vehicles, and nearly anything else that can move. Some attach to a car’s onboard diagnostics (OBD-II) port, some come with collars for dogs or cats, others have magnets to attach to the underside of a vehicle, but nearly all are designed to be small and concealable.

There’s also nearly as much variety in cost, ranging from inexpensive devices that require the purchase of a SIM, to more polished and managed subscription services costing hundreds of dollars.

But I wasn’t interested in a market survey as much as user privacy. Like other surveillance tech, these trackers can easily be abused while their manufacturers hide behind the shield of dual-use: “Our products are only for strictly legal use by upstanding citizens!” they cry. “We just can’t help (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Michael Zandi. Read the original post at: https://threatvector.cylance.com/en_us/home/consumer-grade-gps-tracking-devices-when-dual-use-implies-abuse.html