How Hackers Could Get Out of House Arrest

A security researchers find flaws in an anklet used to track people under house arrest.

Aug 8 2015, 5:55pm

Image: Lorenzo Franceschi-Bicchierai (Motherboard)

A hacker has found a way to hack a device used to track people under house arrest, potentially allowing whoever is wearing the tracking anklet to get away—without the police finding out.

Location tracking devices, which are usually strapped around ankles, use GPS and other technologies to report the position of people in home detention back to the authorities. Normally, these devices have a series of anti tampering systems that alert the police as soon as someone tries to mess with them. But William Turner, a security researcher also known as Amm0nRa, has found that one particular device manufactured by a Taiwanese company has a series of flaws that make it vulnerable to tampering.

While he was only able to study one particular model, Turner warned that it's likely others have the same weaknesses, and that manufacturers should start paying more attention.

"There are issues with these systems, we'd like to think that they're secure because they're part of the justice system," Turner said during a talk at the Def Con hacking conference in Las Vegas on Friday, "but they're not perfect by a long shot."

Turner got a sample device from GWG International, a Taiwanese manufacturer. The device uses GPS and radio frequencies to determine the position of the person with the anklet, and uses a cell data network to send the coordinates back to monitors.

William Turner holds an home detention anklet after his talk at Def Con in Las Vegas on Friday, Aug. 7.

By studying the device he obtained, he found out that it's possible to spoof its location. All one needs is a do-it-yourself faraday cage, which is a container that blocks signals from going in or out; a software defined radio, which is a device that can be programmed to send and receive a wide range of radio frequencies using software instead of hardware; an open source app; and a custom script.

In this scenario, a person under home detention puts the device in the faraday cage, isolating it from the network. Then she creates a fake phone network so that when she tears the device apart and takes out the sim card, the device can still send a tamper detection warning, and thinks it was delivered, even though it was sent to the spoofed network.

At that point, the person can put the tracking device's SIM card in a phone and send herself a text to find out what number is associated with the card. Then, using an online SMS spoofing service, she can send the authorities fake messages that look like they're coming from that number, reporting her to be in the house, while she's actually fleeing.

GWG International could not be reached for comment.

It's not easy for someone who doesn't have a technical background to pull such a hack, Turner told me after the talk. But someone who does have technical skills could just make a device that automatically performs this attack, and sell it to people who are under house arrest.

He couldn't tell how many of these tracking devices are out there, or who exactly is using them, since the manufacturer did not want to disclose these numbers, and authorities weren't eager to share this information either.

"Someone somewhere is using this vulnerable system, because there's a market for it," he said.

Turner said he didn't contact GWG International to report his research, since he's had bad experiences reporting vulnerabilities in the past. Moreover, all the companies who sell similar devices, and that Turner contacted in the past, didn't seem interested in helping his research.

"None of the manufacturers really wanted to talk to me about it so I don't really care," he said during the talk. "It's their problem.