GPS satellite positioning platform vulnerability disaster, the user location information in an emergency-vulnerability warning-the black bar safety net

ID MYHACK58:62201670748
Type myhack58
Reporter 佚名
Modified 2016-01-06T00:00:00


Recently, the press exposure a lot of plays through the GPS positioning device trace abduction. By on the market on some of the GPS positioning device research, found that these GPS positioning system background using a common set of procedures, its Cloud Platform on the presence of multiple high-risk vulnerabilities, an attacker could exploit the vulnerability can be positioned to use the device of any user or the vehicle's current position, history trajectory, and even can be remotely cut off the vehicle oil-Electric. I. Introduction We in the Taobao search on a gps positioning device, and found that the vast majority of sellers are selling the mainstream of the gps positioning system are the same set of procedures, are subject to the vulnerability. ! The system is substantially the principle and the architecture is as follows: ! In the GPS positioning apparatus is equipped with a 3G mobile phone card, the positioning apparatus acquires the current position coordinates via the 3g network transmission to the cloud monitoring platform, the user through the pc or mobile device log on the monitoring platform, you can locate the binding on their own account the location of the device. Second, the vulnerability details Following this set on deal 8 0 0 0+, the cumulative evaluation of more than 2 2 0 0 0 positioning device, for example. ! Which Cloud Platform to use. NET development, the login interface is as follows: ! For Resellers, enter the account password can control the account under all the equipment, for the General user, select the input the IMEI and the password may be positioned a single location of the device. Through the study found, in its Cloud Platform, the presence of a large number of not authorized to access the webservice interface, we adopted the Protocol Specification calls these interfaces, it can access any user's information, change their password, or even to locate its position. ! ! Through the interface the administrator password is initialized, then the login view can be seen, only this one platform, there are more than 2 5 million of the devices, the current online device it has 2. 7 million. ! Can be positioned directly to these device specific location You can get to use the equipment of vehicles and personnel information, phone, license plate number, name, etc. ! You can navigate to their current vehicle to the specific location: ! Can also through the historical data analysis of vehicle trajectory: ! You can even direct the remote cut off the vehicle oil-Electric: ! Through further research we found that the system of webservice interface there is also thesql injectionvulnerability, by in the soap message to insert malicious data, and we can even direct control of the server. ! ! Third, the vulnerability The study found that commercial GPS positioning program amount is very large, users all over China, Europe, the Middle East, Africa, Southeast Asia and other regions. ! Also includes some of the Middle East, war-torn regions all prefer to use GPS tracking. Here it is reflected out of the GPS application scenarios. ! ! ! !

[1] [2] next