Security considerations with Traccar Server

fhofi3 months ago

Currently it is possible for an attacker to enumerate devices and send fake data. All he has to do is to guess the IMEI and send a test packet to the server. As the IMEI consists of the TAC (8 Byte) + SEN (6 Byte) it is fairly easy to enumerate as the TAC is equal among the same device type.

What is the best way to cope with this attack?

David Cole3 months ago

Only accept traffic from known networks.

fhofi3 months ago

What if the gps-devices don't have a static ip-address?

David Cole3 months ago

They more than likely won’t. But I accept (genially). The up range of my mobile network.

Doesn’t kill off the attack vector. But at least reduces it significantly

fhofi3 months ago

I was also thinking about reducing the attack vector with ip ranges but then you have the problem with roaming. You will get a new IP-Address from the foreign country.

David Cole3 months ago

Are you Europe? I’m nz. Surrounded by water. I can’t drive to another country. So don’t really have an answer for you if that’s the problem.

I don’t think most (car tracking) devices have any sort of security let alone way of passing some authentication data. Maybe higher up ones do. Or the ones that use http or mqtt.

fhofi3 months ago

Yes that is the problem, I am from central europe and roaming is very common here. I was thinking about certificates for the gps devices but that is not supported with most trackers.

I am just really curious why the protocols don't send some security token or password by design. Probably because of legacy devices?

David Cole3 months ago

Most are very cheap and relatively stupid. They don’t have dns capability even. Needing a fixed ip to work.

But as I said above, I suspect if you pay more for a device you might get access to better features. Https, client certs, authenticates mqtt (basic or cert based).

If those hardware devices exist then I suspect support will be built them for if it doesn’t already exist.

Track-trace3 months ago

@fhofi

Your assumption seems rather exaggerated.

Whats the point ? even if you found out the imei number. To send data to a server for a tracker that is not in your account.
Besides that you would need to know the protocol port to send the correct protocol data to.
By default i change the protocol port.

So first you are gonna figure out my device imei's and then search the protocol port for the specific protocol you are going to sent data too ?
For a device that you do not have a server account for ?

It rather seems a waste of time.

fhofi3 months ago

@Track-trace

I get your point, but see it as a form of ddos attack. Sometimes it is not the goal of the attacker to hack a system and obtain valuable information but disturbing or corrupting data. Even if you don't have access to the trackers account, you can still manipulate the gps data.

Anton Tananaev3 months ago

Many telecommunication companies have a solution to this. They can provide you SIM cards that connect directly to your network via VPS. It solves both a problem of non-encrypted communication that some devices have and you can be sure only your devices can connect to the server. I believe it should work cross-border as well, but not 100% sure about that part.

Track-trace3 months ago

@fhofi

Well over the years i actually saw a lot of port scanning on all ports of my server. But never saw anyone trying to send device data to any port. Did you?

I get your point, but it is also rather simple to allow or deny all ip's from regions / country's / networks if you are getting paranoid.

Anton Tananaev3 months ago

I also think it's not a common problem.

Croce3 months ago

@fhofi

Set your server with fail2ban rules and filters:

  1. use 22 port as honeypot
  2. detect port scanning attempt
  3. ban every single ip address used to port scanning and discovered into honeypot.