 I'm here to talk about ankle monitors. And just at the start of the talk, I would like to say that I'm keeping this limited to ankle monitors used in other countries. Because I sort of want to keep some friends here. Like I might not want to go to a country where I've just hacked all our stuff. That might be a thing. So first introduction. I'm not a security researcher. I'm just a developer at a bank, at the rebel bank. Nice place to work at. I sort of stumbled into this by accident. I wouldn't exactly call it an accident. But it's basically my partner at the time really wanted to know where I was at the time. I kept sending these WhatsApp GPS links. And you can track someone for like eight hours. And they know what you're doing. So eventually I got around to watching talks on DEF CON about ankle monitors. And there was this guy who hacked the ankle monitor. And I was like, maybe I can do this, but better. So maybe I can actually make these things usable. And it turned out I was able to order one. And I was able to make them useful. And a few years later, I got the opportunity to apply for a talk here. And I did. So yeah, here I am. You can see on the screen the URL of my website. You can actually download the software. You can use these trackers with. I'm not saying it's perfectly secure or the best code. It's a hobby project. So if there's any bugs in it, let me know. In this presentation, I'll just be beginning with how it all started. Basically, looking at a CVE about GPS trackers and examining the different devices and different protocols they use. And then maybe later on, the security implications of all that stuff. But before I get started, let's get this thing off. So that should work. So it does actually give alarm. I'm not sure how long this is going to last. So as you can see, these ankle monitors really do work for monitoring people and seeing generally where they are. So how this all got started. Aliexpress, you can actually buy ankle monitors from the internet. That should work. So you can actually buy ankle monitors. This is not a very advanced model. It also doesn't have a great battery life. It's just generally not the best technological option. If you want to monitor something, it does work. And they're freely available. So these are just a great way to get started. This is just something that's available to the public. In this talk, I won't be focusing on this one, mainly because technologically it's not that great. And the one I was just wearing is a lot more effective and a lot more interesting because it's actually used, not just by private individuals. So yeah. But this is how it all got started. And this is how it's going. So this is a box of ankle monitors. I have a few with me in the speaker stand. So that's kind of how it goes. I have another one here. This one is actually the one I'm most proud of talking out of a company because it has a metal cuff on it. And maybe some of you know that China had some issues with some complaints about how humanitarian their prisons were. And it became very difficult to social engineer anything out of China for a while, especially metal restraints for a reason. So it took quite some effort to get this beta model of ankle monitor out of that company. But it worked. So I'm most proud of this one. So we have a CV. I'm sure you can all sort of laugh at this. This is for car GPS trackers. And the thing is, most of the companies that produce the chipsets for these things, they also make car GPS trackers. There's a giant overlap between the chipsets of ankle monitor and what's used in a car tracker. So this CV might sort of apply to these devices. But there's way more than just that going on. Way more. Because this is also for ankle monitors, also for car trackers. And as you can see, it's fairly easy to access their log. You just have to type in the URL. These slides are available. And the data is also freely available, apparently. So yeah. So how did I get this information? Or how did I get this tracker? Just ask. Just talk to the company. Here's a conversation I'm having with a person from, I think this is my rope, where they produce the watch type trackers. They're actually more modern, I would say, and more convenient. So here I'm explaining, I have my own platform for using GPS trackers on. And they're way impressed with how I'm able to communicate with those things. Easily impressed. It's nice to be able to talk to a company like that and just get information from them. You can see here where they're sending a manual. This actually includes commands to set up a device to a server. So you might be able to see how that can be abused to set a lot of those devices up against different servers. And that's exactly basically what I did with this one. I just proxied it via my own server, watched the data, looked at how does it work, how does it communicate with their server, because I just proxied it. And I basically copied all the information and wrote a protocol driver for it. So yeah. And the trick with Chinese companies is basically you pretend to be a big company, you're doing research, you're trying to find out which device is best to use. And there's different manufacturers, so you just kind of start a conversation, talk to them, ask if you can order samples, that kind of stuff. And yeah, you end up with a tracker. Sometimes it's way more difficult in this case. And you have to kind of say, OK, we're worried about the longevity of it. Like the metal strap might be sturdier, that kind of stuff. So you've got to have to play innocent a bit. But yeah, that should work. And you should be able to acquire some of these. And it's actually cheaper to buy them off of Alibaba than it is to buy them off of Aliexpress. So if you buy them directly off of the company or your social engineer, you're probably paying like half or a third of the price on Aliexpress. So it's worth trying if you want a whole bunch of GPS trackers. The first thing I showed was this one. This is actually a Jimmy GPS tracker. It's an AM01. They're actually based on a chipset that's used in cars. If you saw, some of you maybe saw Amon Ra's Def Con talk where he also talks about one that's based on car chipsets. This is a common theme. The people who produce GPS trackers, produce GPS trackers for all sorts of things, including people. So this thing is decent as far as usability goes. It has fairly good battery life, like three to four days if you configure it right. I would say the waterproofing on it is rather poor. So I would not want to use this day to day. The one I threw over there has much better waterproofing, which is going to be useful if you want to take showers frequently. But yeah, this is basically the brochure for this thing. You can see that it's meant for offender tracking. It's also actually used for that. And also as an attachment point for where you can basically attach someone to a wall with it, with a metal version. That's probably why it took a bit to social engineer the side of them. So your Jimmy trackers, they get you weird friends. Like when you make a post on GPS trackers, right? People might be interested. So if I wrote a server for these things, I got contacted by this guy. So essentially, I ended up turning or letting this guy use my server to monitor people. And he's using it for entirely different purposes than they were supposed to be used for. But I'm definitely not sorry for doing this to that company. And this guy ended up becoming a good friend, so it's worth it. He's also the best beta tester you will ever have. Like imagine running around town with basically a police siren going off on your leg, like that's dedication. So here's the video they made themselves on actual assembly of this device. So here you can see exactly how it's opened. And it has a few screws on the inside. So fairly hard to reach, I would say. It's a fairly standard device. On the top here, you see the GPS antenna. There's a light sensor somewhere around here. I think there's a button switch somewhere for if you remove the PCB. And what they're first going to do is disconnect the speaker just so they can get the case off. The newer versions actually have a Bluetooth antenna on the outside of the case. So you can also do Bluetooth indoor location. So that's a nice thing to have with the fancier trackers. Some even have RF tracking, not this brand or model. So there's tamper detection here. There's basically a switch that goes off if you remove the PCB. There's actually a light sensor in this part. So if you open the case, it'll go off. And if you can see here, there's the attachment points for the strap. And these attachment points, they actually have wires going to them. So there's an inductive sensor. So it's not that there's constant current running through it, but it does detect if you take it off. I would say with this model, it's too sensitive. So you get a few false positives with that other model. That's also not an issue. But there's false positives in this case. They do not happen too frequently, but they do happen. They do tend to happen with regular law enforcement models as well, I've heard. So here you can see them remove the battery connector, simple thing, and the antenna to the GPS. This is all fairly sensitive hardware. Like if you were to cut into it in the right place, you could probably mess with it. But you might trip the light sensor, so you've got to avoid tripping that. There's ways to do that. And there's actual, most of the actual chips are on the backside. So what they're going to show you now is how to insert the SIM, but then you can also see the chips responsible for the DSM, the communications, everything. So that's basically the Jimmy ankle monitor. And it's nice that they showed you overview of the hardware, even board information, everything. So these are fairly simple. And what you would see with the ones used in the Netherlands, like the ones used by actual cops, is you would see a fiber optic strap instead of the metal one. I would say that the fiber optics both have less false positives, and there's a security aspect to it, where fiber optics are just generally harder to spoof. I'm not saying it's impossible. I'm saying it's more difficult to do. So we have the tracker protocol, and this is just taken from car trackers. So there is actually software track car, which is used for GPS tracking cars. And they have implementation of this protocol. It's a more complete implementation, but there's a few features surrounding this device and specific error cases that are not implemented there and that I have implemented. If you see the software on my website, all the manuals to this one are included. All the protocol documents are included. When I'm going to show you the protocol documents, they might show you confidential on the site. Just forget about that for a while. I don't think it's very confidential anymore. So that's basically what they do. They're car tracker manufacturers, and they switched into producing GPS trackers. And there's a lot of companies like that. And there's a few interesting commands in the command manual there. I'm just hoping it'll show correctly. That's my mail. Yep, there we have it. So if you see the command list, you can actually query these commands can all be sent by an SMS command to this device. So if you have the cell phone number, you can already compromise it. And is anyone here familiar with the IMSE catcher? Yeah, so you guys know how to compromise these really quickly. So that's a thing. These are also just 2G. So they're generally very easy to compromise. Like it's a plaintext protocol sort of over 2G. So I sort of see you smiling. This might not be the most secure option for a people tracker. So you can query which server it's talking. You can set which server it's talking to. So you can just configure your own server. This makes sending commands a lot easier because you can send them via the server and you don't have to pay for each message. But you can also do a factory reset from the SMS commands. So if this thing is talking to someone's server or it has a password, you can just send it to SMS to do a factory reset. Then yeah, security leaves something to be desired, I would say. This also goes for the car trackers this manufacturer makes by the way. So if you contact one of those car trackers and you send a factory reset command, it will do a factory reset and you can actually configure them to talk to your own server then. Yeah, you might see issues in that with car trackers. Some of their car trackers can actually cut off the fuel to a vehicle while it's moving. So people trackers, not much fun if they're talking to someone else's server and their malicious car trackers. Also not much fun in that way. So that's basically the protocol of these things or the command manual. If you look at the protocol document, pretty sure this says confidential, yep. So it has a complete protocol documentation with login packets, everything. A login packet is sort of a weird way to name it because it just sends the EMAI number as a identification and this is a team with all these trackers, including the car trackers. They use the EMAI number as the identification for this device. Can anyone see a problem with this? Yeah, exactly. You can look at it fairly easy and if you have like an IMSE catcher you already have the EMAI number, especially if it's a 2G device which everyone can sort of look at the communications. So with the EMAI number you can actually contact the server and you can pretend to be sort of at this device. So I'm not saying that's a smart thing to do but that's how it works. So the full protocol documentation, whatever, it's also on the website. It's included in the archive with the software so you can design your own if you feel like it. So there's also mega stack trackers and if you look at this one, this is M2 200X and they're actually used. This is a site from Brazil tracking the world. The beam is slightly over the slide but you can sort of guess that this is from advertising for these trackers. So this is where they're actually selling these to customers. These have sort of the same vulnerabilities, the same sort of technology. One exception, the one on the top, like on the left, this one actually has a fiber optic strap so if you guys want to experiment with how to break a fiber optic strap without tripping a device, you might want to order this one. And yeah, these ones just have a metal strap, better waterproofing and a lot of nice features. They're just generally pretty decent trackers. They also manufacture patient trackers. So you see the wristband there, it can actually monitor SP02, it monitors your location, it monitors your heart rate, everything. These are sold to hospitals and psychiatric clinics and they're used sort of all over the world. So yeah, these all sort of are based on the same car tracking chip sets and MegaStack is a more widely used brand. So you will see this used for tracking people for corrections in smaller countries, not in the West. You will see this used basically all over the world. I think you see the patient trackers within Europe though but the ankle monitors you will not see over here. So here we have an example of what Scram's now doing. This is from January 2022. They're claiming this is a very new fancy idea. They haven't watched like that but if you saw the previous slide, that's an old, old patient monitor. It's a 2G chip set. It's probably a decade old by now. So Scram is not that fancy or unique in this market basically. So what I want you to notice about the protocol with MegaStack. So it has the sort of the same features. You send the SMS command to the device to set it up and it talks to your server and it maintains a heartbeat with the server. So if it disconnects, they know and they can call you and figure out where you are. If you're still compliant, that kind of stuff. They also have a factory reset command somewhere in here in the instructions list. You can actually retrieve the location from this device with SMS commands. This one you can actually password protect I think. So if you password protect it, SMS commands aren't gonna work unless you have the password which is a nice feature to have but then you can just factory reset it. And it still uses the email number as identification. So it still has the same sort of issues and the same sort of problems you would have with this one except you have much less in the way of false positives. These are much more widely used and just general better testing, better waterproofing, better everything as far as tracking goes, even better accuracy. Like you can run around building with thick concrete walls and these will pick up your GPS signal. So that's pretty nice to have. These also have Wi-Fi support. So they will collect all the Wi-Fi access points around you and send them to the server which is very useful if you want to locate a person by that. You can definitely have a great war driving device with this, if you tag a bunch of people and have them run around. So now back to another brand, ThinkRace. And ThinkRace is a brand which this talk actually got its title from. This person actually lives in the Arab Emirates and she doesn't really strike me as the sort of person who would live in the Emirates, work in the Emirates for a tech company and then contact someone who talks on GPS trackers. Sort of seems odd. And she works for a government connected company. So yeah, that's sort of starkerish I guess if they start adding you or like Tim. So you can all look this person up if you feel like it. So this is their advertising. And basically what you can see is how they track immigration in the United Arab Emirates via these watch type trackers. They also make ankle monitor versions. I have some with me at the speaker desk. Those are also used in Emirates. And yeah, basically this is what a watch like that looks like and they're used for COVID monitoring. They're used for immigration tracking. Here's how their platform works. So here you can see all the happy customers with a new, we want to track you watch, you know. This is sort of them explaining their immigration procedure and how it works. You also see they use the EMA identification. It's a strong trend in this. I just really like how they made this ad and explained every procedure and their device. So somehow OPSEC just doesn't register with them I think. But these devices actually work and they do work as advertised and yeah, you can set geofences with them. The geofences are actually on the server not on the device, so that's something to keep in mind. So for immigration, COVID, quarantines, whatever they want to keep here in your hotel. So they set a geofence around the hotel and then you can't leave the hotel otherwise they get an alarm and then the cops show up to bring you back to you wherever you're supposed to be. Kind of like a real ankle monitor except in the country where I wouldn't want to travel to and especially not now after this talk. So that's sort of how it works. ThinkRace also produces devices that monitor people going on the hodge. So there might be reasons why you'd wanna tap one of these because if you want to monitor very religious people, this is sort of the brands you'd wanna go for. So I could show you the protocol documents again. But I have a question, what would happen if we just send a bunch of SMS commands to people in the UAE trying to guess the cell phone numbers? Or maybe if we find a block of cell phone numbers you know that would belong to a provider they used to communicate with these watches? Any one have an idea? Do you think we could hack all of them? So yeah, it's definitely possible and you can definitely find them in the Emirates and you can definitely get a response out of them. So you could set them up against your own server and that's sort of an interesting thing to do. Avast actually looked into this and how some of similar devices communicate to a server. They're kid's trackers. These protocols are not that different from the kid's trackers protocols. They have the same sort of vulnerabilities. I would say the servers and the website part is better designed. So your chance of actually getting into their web servers is slightly lower except for the megastack devices. They're the best at hardware but their websites just aren't really that great security-wise. Like you have a default password. So it's one, two, three, four, five, six. You just log in with your email number and your default password and you're done. You can monitor someone. So yeah, that's an issue. With ThinkRace you actually have more specific SMS commands and you have fewer of them. That said, they were friendly enough to ship me a JTAG debugging cable for their watches. So that's nice of them. I really appreciate it. They have two types. They have a 2G watch, which you can let it talk to your server like this. So you can configure your tracking server. So if you wanna proxy it or have it talk to your own server, figure out where someone from the UA actually walks around. This is what you can do. And there's actually a protocol manual in here as well because they have a binary protocol and I would find it very difficult to reverse engineer this by hand from just proxy requests. So if you wanna roll your own, this is definitely useful and I did roll my own, but here it is. So you guys can sort of see how this communicates with the server. Yeah, they have a few packets. I would say the protocol is less complex than the Jimmy version, but it works. It's decent enough. So here's the type of packets they have. It's login information. Again, the email number as they showed in the video. They have a GPS information package, LBS information package. They also transmit WiFi data. So they basically offer the entire package of like methods to track someone. And they also transmit information about your blood pressure if you have the 2G watch, your heart rate, your SBO2. Those you can all monitor and your temperature, which is useful if you're using it for COVID monitoring. So think race, watch tracker-wise, hardware-wise, it's great. The protocol has the same sort of pitfalls as all the other ones do. So that's think race. Yeah, I would say this is a very interesting one to monitor people in foreign countries if you want to monitor someone, but there's more. So we have the Xeaxon type trackers. They're used mainly in China. Here you can see where they're used. I also have an implementation for this one on the website. So in case you want to buy your own from that company or social engineer your own. They're used for the power grid, they're used for prisons. I don't know any of these prisons. I haven't contacted them before holding this talk to see if I could. I didn't think that was a good idea to do. So here you can sort of see where these are used. It's actually a binary protocol. And this one does not use SMS commands to set up the device. So it's slightly harder to hack, but they also gave me JTAG cables for the device. So JTAG is fairly nice to debug or just configure the server it is talking to and that's exactly what you can do. If you buy one, you could use their platform or their website to set it up against your own server also. But JTAG, if you pretend to be a big enough company, you will get a JTAG cable for these for free. And they obviously want you as their customer. You can also upgrade the firmware with it. You can download the firmware with it. You can modify your GPS tracker with it. So if you ever end up in one of these prisons, you might just want to have friends who can find you one of these JTAG cables. Since you have the full protocol documentation, I'm sure you all can figure out how to talk to the server and tell it that you're in the location you're supposed to within a few yards with some random error margin. Yeah, these are actually used. The Xeaxon type trackers, I've brought a few also in the speaker stand, so that's why they're a giant bucket of GPS trackers. I do tend to actually test them and use them with the server I've developed. So it has, all of these devices have multiple tracking methods. So you have LBS, which is local base station. So your cell phone tower. Some of them just send the one cell phone tower they are connected to. And I would say most of them. I think the Jimmy ones, the Xeaxon, the Tinkrace, and the Myrope, some of their versions, send multiple base stations. So that makes location easier, but LBS is not the best way to locate someone. Some of them have Bluetooth, like Jimmy, where you have Bluetooth beacons they place in your house. It's sort of like the RF location you have with the more Western devices, the older versions of the ankle monitors they have over here. You would have a RF transmitter in your house somewhere and they would be able to see over your phone line back then where you are located around that transmitter based on that RF signal. You can do the sort of the same thing with Bluetooth and a lot of these devices actually have Bluetooth for that. They also have Wi-Fi and thanks to Arch Linux I'll get back to later. And GPS of course. GPS is by far the most accurate tracking option you have. It's within a few yards, so you really wanna know where someone is. You prefer GPS, but Wi-Fi is sort of a good fallback because Wi-Fi geolocation is also usually within five to 10 yards of where someone actually is. Yeah, there are a few security details just as far as location goes. I have not implemented this but since they implement multiple tracking methods you can cross reference them and here I'm sort of talking about how Western devices work but if you block your GPS signal a proper server would then look at your LBS and that's sort of what I do here but if you spoof your GPS signal you can still look at your LBS and see is he somewhere within the area he's supposed to be in. So if the GPS does not match with the LBS or the Wi-Fi geolocation you can send an alert and you can show them, okay, someone's tampering with the device and this is a security measure you will generally not see in the Chinese servers or Chinese devices. I have not implemented this, it's very possible to do because the code is already there to do the geolocation all you need is a sort of temporal alert with that. There are multiple attacks on this. You can downgrade one of these 4G devices to 2G so you can jam all the 4G signals. This is fairly illegal to do but you can do it and then it'll communicate over a 2G signal and the 2G signal you can intercept and you can spoof and you can mess about with. Jamming is possible because their server does not match the LBS or the Wi-Fi location to the GPS signal so you can mess about with it. Some of them actually shut down the GPS receiver when there's a Wi-Fi signal present. That's a bug because if you shut down your GPS receiver when there's a Wi-Fi signal present well my phone can send a Wi-Fi network just fine. I can broadcast SSID from my phone, I can broadcast multiple SSIDs while I'm driving in my car and if it's not getting a GPS location but it's just doing Wi-Fi location you would never be able to tell while I'm just walking out with my router, you know. It's not that difficult to add like a backup power supply to your router and just walk out the house. So there's a few bugs in there. That's with Xeaxon. With ThinkRace you can actually force it to GPS locate and that's what I'm doing in the software so it's harder to fool the server if properly implemented and I don't think the actual Chinese server pulls the same trick but mine does so you won't be able to run away with your Wi-Fi router in hand with this one. But yeah, that's sort of the trick between these sort of devices. Now if you have the LBS tracking you want to know where the user is so if we have no other options so no GPS, no Wi-Fi, we want to use LBS. LBS is accurate within a mile-ish. If you have multiple local base stations you can be more accurate to within a few hundred yards of where a person is. This is kind of how you do a lookup for where a cell tower is. That's kind of all there is to it. The software on my website contains a huge database halfway from OpenCell ID, halfway from other sources with all these tower locations so you can look them up really quickly. It's also really easy to radix sort them because they're just binary data. It's really efficient to look them up locally. So it takes less than a millisecond to do LBS lookup. If we can't find it in our own database we fall back to Google and we ask Google hey where's the cell tower located and Google knows everything. So in order to figure out where someone is having these locations we need to interpolate. I used the quick and dirty method that just did a grid square optimization just walk through the grid squares between these cell towers and figure out where the strength is sort of optimal. I know it's not a linear relationship per se but it works well enough. So the next tracking option and the next best tracking option is Wi-Fi tracking. Sort of the only provider you have nowadays for good Wi-Fi tracking is Google. And what Google does is basically whenever you walk around with your Android phone they collect all the Wi-Fi networks and your GPS data and they store it and then we can just query it. The downside is these location API calls are fairly expensive. So it's 28,000 map loads for 200 bucks you can see here and how often do you think a GPS tracker connects with the server to notify them okay I'm seeing these Wi-Fi networks. Anyone have an idea? Not once a second. Yeah usually once a minute once 30 seconds it depends on how you set it up. If you want to save power or you want to track someone for a long time you might set it to three or five minutes. But there's a lot of minutes in a day and this would get expensive fairly quickly. So I've implemented caching in my server. Usually people are stationary and they stay in the same house. Caching only works if you do not send the signal strength because signal strength will vary a lot in the same area. So what I've done with caching is I have just stripped all of that data sent Google to play in Wi-Fi networks and got back to location. I am unfortunately not that rich and I'm not gonna be able to afford 200 bucks a month just to track one person let alone like 10 people using my server. Luckily each open source distribution has Chrome and anyone know if Chrome also has a location API call in the API key in the source code? Yeah, you're correct. They have a location API code in the source code for instance, arch repositories. So I'm using the arch keys for myself but in case anyone wants to set this up if you wanna do it cheaply, there's ways, please don't block me. I enjoy doing this far too much and I'm far too cheap to stop doing that. If that doesn't work, we fall back to the here geolocation API. It's what used to be TomTom, it's cheaper. It's a lot cheaper per API call. So yeah, wifi geolocation is efficient, GPS we all know and we know the security implementations of this. Now I said I wouldn't talk about Western devices and I have very little time but I'm just gonna give you guys a small hint. Most of these devices in the West have a fiber cable. Anyone remember the right picture? So this strap is bent, right? It's flexible, you can sort of bend it. So there's ways to inject and extract light from a cable like that. It's fairly difficult and expensive but it's doable. And then there's still the open servers you can use which I've shown you before and I'm gonna skip for now I think because I don't have that much time left but basically this is the live gateway log you can all experiment with which contains some information on the Myrope type devices including full locations, everything. So remember that URL. You can ask me for it later if you want. This is a server where they've just been kind enough to publish their logging data. It's nice to have. Now let's get back to the actual software. So this is the end product. You can sort of see where I came from and traveled to MCH. You can sort of see how fast I was going and the battery level of course and everything. You can see the status of the device here. You can see how many satellites it has, what kind of connection it has. So there's a fully working implementation of this thing here. You can sort of see where I'm standing at this point right now and you can see an event which is where I've taken this device off and then closed it again. So it has the full functionality you would expect of a law enforcement device including all the geofences, whatever. So that's sort of hit for what I can demonstrate in the 50 short minutes I have. The software is on my website. If you have any questions, you can talk to me later or outside this tent or at the speaker tent. I would like to thank you all for your attention.