White label SOS panic buttons can be hacked via SMS

A widely used panic alarm handed out to at least 10,000 thousand elderly people in the UK can be remotely controlled by sending it simple SMS commands, according to researchers at Fidus Information Security.

The alarm – a small plastic pendant device with an SOS button in the middle – connects to 2G/GPRS cellular networks, which means it can be used anywhere without the need for an intermediary base station and provides a live status feed.

As well as being able to locate the wearer via GPS, it can also detect whether the wearer has taken a fall and comes with a microphone and speaker for two-way communication should an emergency be detected.

On the face of it, a potentially life-saving device, but also one whose unnamed maker doesn’t appear to have factored in even basic security.

Alarming oversights

Armed with the phone number of the installed SIM (which are handed out in batches, meaning you can infer a range by knowing only one of them), the Fidus was able to send it documented SMS commands to do the following:

  • Call the device and have it answer, creating a “glorified wiretap’ that can’t be detected.
  • Remove emergency contacts.
  • Disable GPRS, motion alarms, and fall detection.
  • Power off the device.
  • Remove any set PIN number.
  • Retrieve GPS data to work out whether the wearer is located.

Fidus tested the theory by contacting real devices to see how many of the guessed phone numbers would respond, receiving replies from 7%, or 175 of the 2,500 numbers tested:

So this is 175 devices being used at the time of writing as an aid for vulnerable people; all identified at a minimal cost. The potential for harm is massive, and in less than a couple of hours, we could interact with 175 of these devices!

It should have been possible to prevent communication by setting a PIN number but it appears that many didn’t have one set, rendering the security useless.

However, even had one been set, Fidus says it discovered it was possible to bypass this by issuing a factory reset with no authentication needed.

White label IoT

As a Chinese-made ‘white label’ device (one branded by numerous third parties), it doesn’t have an obvious name that would make it easy to identify.

In the UK, it’s offered under the following product brands – and probably many others – usually distributed by local councils:

  • Personal Alarm & GPS Tracker with Fall Alert – Unforgettable
  • Footprint – Anywhere Care
  • GPS Tracker – Fall Alarm – Amazon/Tracker Expert
  • SureSafeGO 24/7 Connect ‘Anywhere’ Alarm – SureSafe
  • Ti-Voice – TrackIt24/7

Could the security flaws be fixed?

According to the researchers, for new devices that have yet to be sent to customers, yes. All that’s needed is a unique code printed on each device that would be required to make configuration changes.

For the ones already out there, it is almost certainly too late, short of replacing them:

Any local authorities that are supplying these devices or employers who are using them to keep their workforce safe should be aware of the privacy and security problems and should probably switch to another device with security built from the ground up.

Fidus said it had contacted suppliers to point out the device’s risk which had resulted in some considering recalling them. Others, however, failed to respond.

Because it doesn’t connect directly to the internet and uses SMS, perhaps its makers assumed it would be safe from remote attack. Internet of (insecure) Things laziness strikes again.

UPDATE 21 June 2019: We’ve removed Pebbell 2 by HoIP Telecom from the list of affected devices. This was incorrectly named and is unaffected by the security issues mentioned in this article.