Wider Problems Found in HomeTrack GPS Investigation

At a news conference this morning, Immanuel C. Securitage from ECS-CERT announced that contractors working with ECS-CERT had uncovered some serious security issues at GPS Associates during their investigation of last Friday’s manufactured traffic jam in Los Angles. After quickly eliminating cyberattacks on the stalled cars as the source of the stalling at the intersection, ECS-CERT focused on the HomeTrack GPS system. He said that ECS-CERT was working with GPS Associates to fully identify and resolve the issues involved. He would not provide further details pending the establishment of fixes with the affected systems.

The following story was pieced together from interviews with various people at GPS Associates, Dragonfire, a cybersecurity firm doing contract work for ECS-CERT and ECS-CERT researchers, none of whom are authorized to speak for ECS-CERT or GPS Associates.

The first level check of the security at HomeTrack found a very well-designed security system. There is very limited internet access into their system and the portions of the network where that access is allowed are carefully segmented from the other portions of the HomeTrack network. There were no signs of any phishing attacks and the email system was on its own network segment with little opportunity for an attacker to move laterally out of that system. Finally, there was no known malware found on the system.

System logs clearly showed the identification of the affected vehicles and the order to shutdown their engines. The logs showed that a shift supervisor was the person who was responsible for that access. The only problem was that that supervisor died last year in a boating accident. It seems that the Human Resources Department at GPS Associates has been very slow to notify the various system administrators in the organization when employees left the organization.

A system administrator told me that the company did not think this was much of a problem because access to the most critical portions of their custom architecture had to be done from on-site workstations with logons conducted with scans of the employee badges and a password. Unfortunately, it turns out that the company was not as careful about its logons as it thought.

Dragonfire found a virtual private network (VPN) link into the systems that the system administrators were not aware of. When logging in via the VPN, users were not required to use two-factor authentication. It seems likely that this VPN connection was part of the original coding and would allow programmers to respond to system problems while away from the facility.

Dragonfire also found that there was a TOR website where the VPN login information was available for sale. The same site also provided specific vehicle location identification and shutdown services. The location identification service was advertised as a ‘Track Your Lover’ tool. Real-time tracking and tracking history were available options. The car shutdown service was advertised as ‘Car Swatting’ as a means of getting revenge on people by making them stall in traffic. All that was needed to access either of these services was 1 Bitcoin and a license plate number.

Dragonfire was able to track down at least a dozen of the so called ‘Car Swatting’ incidents based on chatlogs from the site. In only one of those incidents could Dragonfire find evidence that local mechanics identified that the HomeTrack GPS was involved in the problem. In most incidents, mechanics diagnosed other sensor related issues as the cause of the stall. At least one minor traffic collision resulted from a ‘Car Swatting’ incident.

Dragonfire has apparently notified the Automotive Safety Administration (ASA) about the issue. Rose Nader from the ASA has confirmed that an investigation is underway on potential problems with the HomeTrack GPS system, but refused to discuss the issue further saying: “The investigation is in the early stages and it would be premature to discuss the issues involved at this time.” She did note that GPS Associates was cooperating with the agency.

Ed Cole, a spokesman for the Automotive Safety and Security Council (ASSC), an independent auto safety organization said that: “The ASSC is looking into this issue of unauthorized access to GPS tracking data. This is a privacy issue that must be addressed quickly by Congress.” He said that both Rep Milk (D,CA) and Rep Pinter (D,MA) were looking into the issue.

Johnathan Quest reported today that the Federal Bureau of Inquiry was looking into security issues associated with the HomeTrack GPS incident. “We are aware of allegations that system access has been made available on the Dark Web” he told me; “We are trying to contact the owners of at least one TOR website to obtain information.”

When asked if any other cities had been approached with ransom demands Quest replied: “I would not be able to confirm or deny any other incidents at this time.”