2

I have made a small tracking device. I am trying to reduce the data overhead as much as possible to make the device very cheap to run. We are working on the basis that 1MB = £0.01 (the data price at Three UK).

I wrote a simple UDP server in C++. The tracking device opens a socket connection to the UDP server and then sends GPS data through the socket every 5 seconds. This seems to work very well. The overhead is very small and in general seems reliable.

The tracking device has a 16 character string hardcoded into the microprocessor code. In order to reduce overhead, we pass values to the server as a comma separated string and in this string we include the hardcoded device ID. Each time the UDP server receives a request, it checks the ID against a database of valid IDs. If successful, the request is accepted and the GPS data is saved against that device. I have written brute force protection functions to ensure outsiders can't try and send spoof GPS data for a device.

I'm no expert on network security, but I know of terms like "packet sniffing". The data is being sent over an unencrypted connection in plain text, so I need to ensure there is no way that this data can be read. The tracking devices will be installed under the dashboard in vehicles so there's no way to find out a device code physically without reading serial data (i.e. plugging it in).

My worry, and where I'm clueless, is whether it's possible for a hacker to somehow detect incoming traffic to my UDP server and see the device ID and then use it to send spoof data? Am I worrying about something that is non-existent or do I need to ensure that the connection is encrypted (I assume TLS over TCP connection) at the cost of extra overhead?

jskidd3
  • 135
  • 8

1 Answers1

5

It would be easy to sniff data using tools like WireShark from someone who can access the data path between your client and the server. This isn't something anyone on the Internet could do per se but if your device uses wireless and there are people nearby they could grab this data if they wanted it.

As for finding your UDP service on-line that is easy to find via simple scanning tools like nmap and zmap but depending on the port number you used it may already be publicly listed on sites that scan the entire Internet like scans.io. In all likelihood some third parties are already aware of your UDP listener and this will, hopefully, also be listed as other source addresses in your logs.

Security through obscurity no-longer exists on the Internet since people can use tools like zmap or massscan to scan the entire IPv4 address space in just a few minutes.

https://nmap.org/

https://scans.io/

https://github.com/robertdavidgraham/masscan

https://scans.io/

As per the encryption question I think it would be wise to encrypt your data and also wise to consider how each device authenticates to the server. Security of the Internet of Things (IoT) is a very hot item because so many of these devices have abysmal security and security researchers, and bad actors, can leverage these problems to get access to other networks very quickly. If nothing else I recommend using encryption because what you use the device for may change in the future and it's always easier to design security in at the beginning of a project rather than paying the high-cost of reengineering.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • Thanks for your answer Trey. Our device actually connects to mobile networks rather than any specific wireless hotspot. On that basis is it still possible? Thanks for clarifying scanning tools, though I think that won't be a problem as knowing the hardcoded device ID is required to interface with the API. – jskidd3 Apr 18 '16 at 16:55
  • 1
    Absolutely. People are using linux-based LTE range extenders to run WireShark and look at traffic over the LTE (similar method for GSM) all the time. Also never assume your API is secure or that your authentication can't be bypassed or brute-forced. Has your API had a pentest performed ? API's are a GREAT way to break into databases. – Trey Blalock Apr 18 '16 at 17:03
  • UDP scanning is not that trivial as you suggest. ICMP unreachable throttling etc. – Dog eat cat world Apr 18 '16 at 17:03
  • UDP scanning is trivial. It's just not fast due to timing restrictions which means lots of people make newbie mistakes when doing it. That said anyone who knows how to do it correctly can do it easily and for those who can't that data will still eventually show up on sites like scans.io – Trey Blalock Apr 18 '16 at 17:06
  • Thanks so much for this information - it's invaluable to me. On that basis I will ensure that we use TLS/TCP when interacting with the API. – jskidd3 Apr 18 '16 at 17:08