What a GPS/GNSS device in a cigarette pack taught me about OSINT and the IoT
‘Dude. Babe. Bekah found something crazy in her cigarettes today. She thinks it’s a card reader.’
‘Really?! That’s kinda scary. Interesting, but scary. It’s probably like a RF tag for theft protection or something. You guys sure it’s a card reader?’
‘No, this is different, it’s like, no, this is something else — I’ll show you a photo when I get home.’
Innocuous pink foam cradling an amber epoxy board, at center the green neurons of the device connect chips and charger. Simple, and so intimidating, a new alien technology. The copper and silicone glyphs stare back at me from the photo, lifeless, but a gateway. A gateway to and from where? Who build it? What is it for? Why was it at a Plaid Pantry in Portland, OR waiting inside a box of cigarettes?
‘Does she still have it?’
‘No, she turned it into the police.’
What were the police going to do with it? Do they have a department of ‘Random Things found in Cigarette Packs’? Or would this device just live in a box, trying to find access to their wireless systems and phones until the battery pack finally died? Would it even have to access their network to transmit information? What information was it trying to collect or transmit, and to who was it trying to send it to? Yes it was a GPS anti-theft device, but what could I gather from just the surface with some OSINT digging?
The battery charger, to my eyes, was generic, as was the board it was attached to. Though it did look very custom, as though it was created in batches, this being one of many put into production. The foam being cut perfectly for this device makes it perfect to fit into a cigarette case. Why?
Since I didn’t have access to the object itself, there was only one thing that had real identifying information on it.
The first object that drew my attention was the u-blox chip. I have no expertise in this matter, so I started with the FCC ID. Their site let me use the ID to do a quick search to find this — 2AGQN4NNN Cellular Module.
In a quick search I found that u-blox is a Swiss company that is a spin-off of the Swiss Federal Institude of Technology in Zurich. They make wireless stuff for the IoT. These chips are the ‘starter kits’ which allow others to create applications for their selected flavor of thing. This device in particular has GNSS and LTE capability that is accurate within a centimeter of it’s location. Their mission at u-blox is to ‘connect every thing’. Ominous.
While digging I decided to call in the only superpower I have, AI. I got GPT on the line and this is what it gave me after I uploaded the photo-
“The device your friend found in their pack of cigarettes appears to be a Cat M1 GPS tracker, specifically the BI LOC8 LTE model made by u-blox AG. This device is typically used for monitoring and tracking purposes and is designed to be worn as an ankle bracelet. It includes a GPS tracker and a cellular modem that supports various frequency bands, enabling it to transmit location data over cellular networks.
This type of tracker is often used in contexts such as monitoring offenders or individuals under house arrest, providing precise location data to authorized monitoring centers. The device is equipped with firmware that controls its operation, ensuring a fixed maximum duty cycle, which prevents unauthorized alterations to its functionality.
If your friend found this in their cigarette pack, it might have been misplaced or planted intentionally, but such a device is usually associated with legal and monitoring purposes rather than being used casually.”
An ankle bracelet? Inside the pack of cigarettes? Who has access to legally deconstruct ankle bracelets?
In addition, I noticed the device has a ANATEL(Brazil’s National Telecommunications Agency) certificate number on it, along with an IC(Industry Canada) number on it, meaning it has the ability to communicate in Canada as well. There are nine countries in South America that require homologation, Brazil being one, and from the FCC website I found it has another certificate for Colombia. This means that this device is capable of operating in the US, Canada, and South America, including two of the nine countries South American countries that require homologation on their LTE devices.
In looking up the specific information about the device through three of these countries, I didn’t find much of interest, but one thing did catch my eye.
As I looked up the ISED Radio equipment list from the IC number, I found something that is obviously of interest — ‘CoverTrack STLTHV’. Now, that sounds like it was used to covertly track something from somewhere using a modified ankle bracelet.
This Host Marketing Name, or HMN, refers to the commercial name of the end product that uses the u-blox SARA. So, it seems, we have a device that has been used under multiple HMNs. One of which is approved and certified by a lab here in Portland — Element Materials Technology Portland — Evergreen Inc.. I was curious about their practice of certifying devices, so I reached out to see if anyone would be curious about giving me information about the device, alas, I haven’t heard back.
I also reached out to CoverTrack, and they didn’t write back or comment on their device.
Another HMN, the Ventis Pro 5, is actually a gas monitor? According to the Ventis Pro5 Manual it can operate on batteries and have wireless operations for ‘a variety of features and functions’.
As far as the certifying bodies go, we have American Certification Body INC., DNB Engineering Inc., Element Materials Technology Portland — Evergreen Inc., and TUV SUD America Inc. (San Diego). All of these certifying bodies are responsible for ensuring that devices meet the necessary regulatory standards and compliance for the relative regional standards. Fairly basic and nothing too interesting to say here except we have more law enforcement/military contacts through ACB INC. and that Element Materials Tech. is located in Portland, but there’s not much to say there other than they have done testing, and have confirmed this device meets US/CA standards.
Frustrating that this has to be the end of the line, but this rabbit hole has me thinking — if I was working for the company that has access to this device, what information would I have access to? What would I be able to see, and how could the company that I work for be sure that I was handling the information properly?
This small device, not much bigger than a thumbnail, is capable of transmitting GPS/GNSS to law enforcement bodies(or whoever has a subscription, really) across multiple countries. It can generate gigabytes of information from it’s sensors, daily. This formula of information gathering is what we can suspect will only become more available to those who seek it, whether that is law enforcement, or corporations. Sure, this is designed to stop someone stealing some cigarettes, but what if you haven’t committed a crime? What if your only transgression was to not read the terms of service?
As much information as we can gather about this device is paltry compared to how much it can gather about us. Immediately I think of how much more information that is going to be gathering about me in my home. Not only that, but once I give it access to my network, I’m not just connecting that device, I’m connecting it to a device that has complete access. If this device is insecure and running on the same network I transmit personal and private information over, there is no private or personal information.
(Here’s an example of a simple network access hack on BT bulbs)
As we already know, these corporations are not above human fallibility. Take a look at the employees from Tesla, the employees from Ring, and the amount of general access we have to unsecured devices when we are on the internet. For example, this website let’s you use AI to probe any open IP on the internet. It is the Google to the internet of things, though you can do it on Google as well. If you see a camera, and you didn’t set it up, do you know where that information is going? Who is capturing it? Who is seeing it, and what they are using it for?
Let’s just, for example, use a site like Censys and a GitHub collection to see what we can see on the public internet. Remember, this is all publicly available information, not even from the internal system.
First, we just google, censys github queries, or we can use the build in AI query box to generate us a relevant prompt. I’m going to google it and use git.
Great, we’ve found some GNSS devices, just like the one in the article!
Now, let’s see what we can see after clicking copy on the query and putting it into Censys…
On the left side we can decide what type of device we want to look for -
I’m going to choose IoT and see what comes up. Then we can filter by ‘US’, and then maybe something like ‘remote access’ or ‘camera’ to see what comes up.
Or, we can just input the IP and have direct access to a nice login page. I am not going to try an invade someone’s IP, but you get the idea.
http://insecam.org/ is another site you can access any insecure camera on the internet. **This website is not secure**
Existentially this is obviously terrifying, and in spite of my projected anxieties, I am not here to incite fear. I write this to help myself understand what I can do to keep myself informed about the the IoT.
With access to information like this without the proper security protocols, we could be very much at risk from anyone with a curious mind, knowledge and enough time on their hands. I just want to reiterate that this is all public information. AI is only going to help us to break things and find things at a faster and more effective rate, especially when used locally and all corporate ethical limitations are turned off. Though,DAN mode in GPT is no longer available in 4o.
Here are some suggestions/tools to use to help you stay aware of how your information is being gathered, how your devices might be vulnerable, and how you can help yourself read those huge Terms of Service that so many just click through, myself included.
- Separate networks, disable unused features and use strong passwords
- Limit access to these devices and disable unwanted features.
- Make sure that the passwords to your network are strong and check your firewall to make sure you limit devices you don’t want to have access to your network. You can use tools like wireshark to monitor your outgoing data(David Bombal’s tutorial I referenced earlier in the BT bulb hack shows @ 5:00 minutes in the cleartext transfer of information of some devices).
- Make sure all firmware is up to date, use strong encryption and monitoring tools to have full control over your home network. Here is a great way to setup a home IoT network.
- Or, just turn it off. If you aren’t using it, don’t need it, just turn it off.
2. Use the extensions and tools like ‘Terms of Service; didn’t read’
https://tosdr.org/ is a great extension to give you a quick idea of what the company you’re interfacing with. While this isn’t always applicable to IoT devices, I think it’s safe to assume that Amazon was an early adapter of the Alexa in home spy, and it is probably going to continue to be one of the worst IoT offenders. If you’re already using something like AI in any capacity, it can be a great tool for getting through your terms of service, obviously there will be a price to pay with your information for using any AI service, obviously. Sometimes, in my perspective, it’s about how to mitigate data loss, not how to completely eliminate it.
Also, big shout out to uBlock.
3. Basic education and understanding of your relationship to the internet, and your devices
There are so many good podcasts, YouTube channels, and articles out there that have real tangible substance. Tehy have helped me so much in my understanding of my IoT relationships. Here’s a couple specific resources.
- As far as understanding the capabilites of today’s hackers, corps, and government this podcast is amazing. Jack has such good insight and information for you all wrapped in a juicy narrative that will have your attention rapt. Check it out.
- This dude is a classic —
- I’ve spent some time in the YT wormhole have found a couple of characters that are helpful in the learning journey. A mix of philosophy, a pessimistic ‘been-there-and-back’ mix of reality and where we can look to the future. It’s good stuff, check him out to help yourself understand where your risk assessment lies.
While we have reached the end of my long melange of information, the IoT keeps streaming, character after character. As we become more connected and integrated, I truly do hope that it allows for more convenience and efficiency in our lives. I love the idea of things like the IoT, but as it stands, we are in a learning stage and metamorphosis of the understanding of what data and information gathering can open us up to as consumers. Stay safe and secure out there, be vigilant and don’t smoke.
loveyabye
