back to article 'Oh sh..' – the moment an infosec bod realized he was tracking a cop car's movements by its leaky cellular gateway

If you want to avoid the cops, or watch deliveries and call-outs by trucks and another vehicles in real-time, well, there's potentially not a lot stopping you. Security researchers have found more than 100,000 internet-facing cellular gateways, some of which broadcast their exact whereabouts to the world. These particular …

  1. jake Silver badge

    Default passwords? In this day and age?

    The '70s on line one, something about wanting their vulnerabilities back.

    Seriously, I know marketing runs everything these days, but Shirley even those dumb-fucks should have put this one to bed by now!

    (I won't bother to address the rest of the bumbling mistakes. You're quite welcome.)

    1. Kanhef

      Re: Default passwords? In this day and age?

      And not only that, but 12345? Have people not seen Space Balls?

      1. Steve Knox

        Re: Default passwords? In this day and age?

        What!? They've hacked my luggage!?

        1. IceC0ld

          Re: Default passwords? In this day and age?

          Since then more than 13,500 warning notes have been sent out to people making and operating exposed equipment, we're told, with two replies were received

          ==

          13 500 out

          TWO back

          shows the level of interest people seem to have for infosec :o(

          1. Anonymous Coward
            Anonymous Coward

            Re: Default passwords? In this day and age?

            Or understanding. If you can't understand what is being talked about, how can you judge its importance?

            And, unfortunately, boiling it down to "we can track your police cars in real-time" will likely get a knee-jerkshot response.

          2. Alan Brown Silver badge

            Re: Default passwords? In this day and age?

            "13 500 out

            TWO back"

            Based on past attempts to send out warning notes for stuff like this:

            1: I'm surprised that it was that many

            2: I'm also surprised the replies weren't threats to sue

            3: I wouldn't be at all surprised if someone uses this as fodder for some control-freak law making scanning for vulnerabliities illegal, instead of addressing the actual problem.

            Seriously, it's far more common for organisations and individuals to respond to this kind of warning by shooting the messenger than by sending a thank you note.

            1. jake Silver badge

              Re: Default passwords? In this day and age?

              These days they don't bother shooting the messenger. Instead, their minds turn off because "technical", and they ignore it as obviously not applicable to them. Presumably they expect TehIntraWebTubes equivalent of "a little man" will be 'round shortly to sort it ... If they think past the delete button, that is.

            2. Marcus Fil
              Pint

              Re: Default passwords? In this day and age?

              I have been that shot messenger - followed a week later by an apology and a request for assistance in securing information and a request to know how I had discovered what I discovered. I did not them all the details on the last issue, but enough to show easy it all is.

              Sadly, we need design and implementation standards- backed up with laws and harsh penalties applying to manufacturers, importers, suppliers and system integrators. We cannot trust joe public (or even local law enforcement) to understand the issues.

              Banks and other organisations are starting to tell people to be more careful on the interfaces which cannot be secured by technology alone, but sadly ~50% of the population will always be below average intelligence.

              A pint of beer for the 'white hats'. A pint of piss for the lazy implementers.

              1. Doctor Syntax Silver badge

                Re: Default passwords? In this day and age?

                "Sadly, we need design and implementation standards- backed up with laws and harsh penalties applying to manufacturers, importers, suppliers and system integrators."

                Worth a thousand upvotes.

                "Banks and other organisations are starting to tell people to be more careful"

                I'm not convinced of this. Those I've dealt with persist in training their customers to be phished by sending out emails inviting them to click on links, some of which require logins.

                1. Terry 6 Silver badge

                  Re: Default passwords? In this day and age?

                  sending out emails inviting them to click on links, some of which require logins..

                  Worse, the emails (from the banks) often have messages that sound more like scams than the real scams do - as in "Click here for news about your account" type messages

              2. 404

                that shot messenger...

                .. Yeah I don't do that any longer...

                I know where a county sheriff's operations server is just hanging out there wide open - ah ain't a-sayin' shite... They don't like me anyways.

                It's NOT worth the hassle.

              3. Mark 85

                Re: Default passwords? In this day and age?

                A pint of piss for the lazy implementers.

                It's not lazy, it's about cost and corporate profit. A few cents here, a few cents there, and pretty soon, the shareholder value takes a hit. Public agencies don't answer to corporate bosses but taxpayers and no taxpayer wants taxes raised to "fix" IT stuff since they don't understand it. <sigh> There's the right thing to do and the corporate/public agency thing to do. One would hope that the corporations and public agencies would for once do the right thing.

                1. theblackhand

                  Re: Default passwords? In this day and age?

                  "It's not lazy, it's about cost and corporate profit. A few cents here, a few cents there, and pretty soon, the shareholder value takes a hit. Public agencies don't answer to corporate bosses but taxpayers and no taxpayer wants taxes raised to "fix" IT stuff since they don't understand it."

                  In many cases, the issue is poor planning and a lack of time to fully implement plans - we want to create/configure/deploy A with features W, X, Y and Z. By the time A is in production Y and Z are mostly done, X is on the to do list and W is forgotten about.

                  While this can be seen as a cost issue (if only we'd employed more people or taken more time to plan properly), in many cases this isn't apparent until long after the damage is done. Treating it as a corporate profit issue ignores the other cultural issues that result in these types of security problems.

                  Changing a default password is more likely to have been either a lack of product knowledge or a lack of simple security knowledge ("change any default passwords to something more secure"). Given the number of organisations affected, I'm frankly astonished that somebody within the organisations didn't question the lack of security.

              4. eldakka

                Re: Default passwords? In this day and age?

                ... but sadly ~50% of the population will always be below average intelligence.

                I think you mean median intelligence ;)

                1. dajames

                  Average

                  I think you mean median intelligence ;)

                  OK, I missed the wink of your smiley, you probably don't deserve the downvote I just gave you, but this particular piece of nit-picking gets my goat.

                  BUT you do realize, of course that the median is just one of the statistical values that are grenerally referred to a as the "average" -- see Wikipedia -- so the remark that "50% of the population will always be below average intelligence" is true because "average" can mean "median".

                  Then again, the distribution of intelligence in the population approximates to a bell-curve (a normal distribution) and one characteristic of the normal distribution is that the mean and the median have the same value. So, again, "50% of the population will always be below average intelligence" holds true.

                  But it's not really worth this debate. The remark is a joke that should pass without comment. 50% of anything will be below "average" (for some value of average), but that's not the point -- the point is that we all tend to forget how stupid some people can be, and it's worth having a bon mot like this to remind us.

              5. thepenisyoulove

                Re: Default passwords? In this day and age?

                NO! I don’t want more government in my life to treat me like I’m a kid. These people who set this up did not change their default username and password. That’s their fault for being lazy or dumb. And now they are going to pay the price of being lazy or dumb. While i agree the design of the application was poor to not force then to change the default, bringing the government into the mix isn’t the solution. Why do all you people think government is the solution to everything?

                1. strum

                  Re: Default passwords? In this day and age?

                  >Why do all you people think government is the solution to everything?

                  Why do you think a corporation is the answer to anything?

              6. Anonymous Coward
                Anonymous Coward

                Cops doing they best, unfortunately

                I was on a jury a few years back, police technical witness asked about the accused mobile phone described all the tools they had for taking a forensic image to prove what calls and texts were made and received on the night of the incident and that they did not confirm the accused story that a certain number was sent to them as a contact. Defense stepped up and asked were those tools used? (yes) and did they show that the number had been dialed on that night? (no, because the police officer couldn't get them to work and in fact had no evidence that either sides story was correct) *sigh*

                1. Graham 32

                  Re: Cops doing they best, unfortunately

                  @AC "I was on a jury a few years back..."

                  Don't they just ask the phone network what calls were made? I'd expect that to be much easier to do and have more reliable results.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Cops doing they best, unfortunately

                    @ Graham 32 - "Don't they just ask the phone network what calls were made?"

                    What annoys me most, and seems often to be overlooked, is that without a voice recording of those same calls, there is no proof that a particular person (generally the "owner" of the phone) actually made the calls. Same with location of the phone being tracked (assuming the "owner" was with it), and similarly about text messages or internet use.

                    Someone else may frame a person if they get access to the phone, or possibly access to the SIM. For location, just leaving a phone by accident or design could suggest the movements of a person when s/he went nowhere near the phone during several minutes / hours / days etc. For example, making it appear the "owner" went to a store, whilst actually staying back to do something (murder?).

                    (In case anyone wonders, I used "owner" because if a phone is being bought over a period with a finance agreement, the buyer might not legally be the owner, until the completion of payments.

          3. Roland6 Silver badge

            Re: Default passwords? In this day and age?

            >shows the level of interest people seem to have for infosec

            Not really. However, it would be interesting for the scan to be repeated in 90 days to get an indication of how many have actually been changed - that would perhaps be a better indication of just how much attention people/organisations actually give to security disclosures...

      2. Anonymous Coward
        Anonymous Coward

        Re: Default passwords? In this day and age?

        I wish the AS/400 I occasionally support had default passwords. Bastard thing.

    2. Doctor Syntax Silver badge

      Re: Default passwords? In this day and age?

      " know marketing runs everything these days, but Shirley even those dumb-fucks should have put this one to bed by now!"

      You seriously underestimate marketing.

  2. Chairman of the Bored

    Then again...

    ...this is an own goal for the same team who deploys mass surveillance technologies such as automatic plate recognition under the claim that "if you are driving a vehicle in public you have no reasonable expectation of privacy". Turnabout time, baby.

    1. ecofeco Silver badge
      Facepalm

      Re: Then again...

      Right? Cops wanted mass surveillance and they got it. They just didn't think they would also be victims of it.

  3. Will Godfrey Silver badge
    Black Helicopters

    Oops

    Although plod might not have known about this I expect the spooks did, and are probably not very happy it's gone public.

    1. dajames

      Re: Oops

      Although plod might not have known about this I expect the spooks did, and are probably not very happy it's gone public.

      On the other hand, it enables them to argue that off-the-shelf solutions are not sufficiently secure for their own use, and they should have a bigger budget to enable them to specify their own systems and have them built ...

      ... and it enables them to argue that there is a vast untapped ocean of information about the movement of others that they are not yet tapping, and they need a bigger budget for that too!

    2. Dr Dan Holdsworth

      Re: Oops

      Actually it has been known for quite a long time that in the UK at least, the police radios were operating on a set of frequencies that nothing else was permitted to use. Now, certain TV receivers can be repurposed as software defined radios, and whilst these cannot decode police radio transmissions, they can determine the strength of these transmissions and use the strength to determine the distance of the transmitter.

      If you are a criminal about to do something naughty, such a McGuffin is a very useful piece of kit, since it warns you if there is a police officer (or rather, a police radio unit presumably closely associated with a police officer) in the immediate vicinity. If this is the case, then the prospective scofflaw can alternatively choose not to break the law whilst in the presence of police officers.

      The devices are marketed in the UK via the usual shady channels, and are described as a way of knowing if emergency vehicles are in the vicinity so that the user can get out of their way. The use of the things is described as "Being in a grey area", which approximates to "If a police officer catches some twerp with one, search the suspicious probable felon and his car immediately and obtain warrants to search his home forthwith".

  4. Wellyboot Silver badge
    Facepalm

    Home Address?

    “What happens when people go after police officers because they know where they live"

    I would expect the only police officers taking cars home after work will be living in very rural parts of the US and half the county probably knows where Deputy Dawg lives already. everywhere else the car will be back in the pool for the next shift.

    The map is a bit small to show, but I'll guess there aren't any police vehicles in Northern Ireland using this out of the box. A properly organized terrorist like the PIRA (not the current nutjobs looking for paradise) would have loved this level of tracking ability, they'd have been playing pacman for real.

    Now, are there any Italian gold bullion transports using this? I have a plan involving very small cars.

    1. Andy Non Silver badge

      Re: Home Address?

      "Now, are there any Italian gold bullion transports using this? I have a plan involving very small cars."

      Remember, you are only supposed to blow the bloody doors off.

    2. Chairman of the Bored

      Re: Home Address?

      Oddly enough, of the places I've lived in the US the only places I've seen where the police drive marked cars home are the relatively large and prosperous bedroom communities around Washington and New York.

      The theory is that this deters crime. The reality is twofold: it makes the cop's house a target for petty vandalism when the car is not present, and it makes for a lot of whining about 'lazy ass gub'mpnit workers, never on the job' when the car is present

      I'm in the boonies now and the theory is that money is tight and we cannot afford the luxury of one car per patrolman, so the car goes with the shift, not the man. I'm ok with that.

      BUT! That said we apparently have enough cash for a plate camera on every traffic light and damned near every lamp post.

      Annnnd, if you drive near the sheriff's office your cellular will on occasion get pushed down to 2G suddenly ...with no network connectivity and a cell ID that is unique and nonsensical... despite ample 4G signal. Sometimes this happens near their 'inicident command post' SUV.

      1. thepenisyoulove

        Re: Home Address?

        Are you sure this isn’t chapter from a utopian science fiction novel?

    3. James O'Shea

      Re: Home Address?

      "I would expect the only police officers taking cars home after work will be living in very rural parts of the US and half the county probably knows where Deputy Dawg lives already. everywhere else the car will be back in the pool for the next shift."

      Ah... no. Here in Deepest South Florida it is _very_ common for cops to take their vehicles home with them. One local housing development I know of has, on one road ('Azalea Circle') at least three Palm Beach County Sheriff's Deputies, one each Miami-Dade and Broward County Sheriff's Deputy, and one each West Palm Beach, Royal Palm Beach, Boynton Beach, and Ft. Lauderdale police officers, plus one Florida Highway Patrol, one Florida Fish and Wildlife, and one Federal Border Patrol cop. Those would just be the marked cars. There are also several cars with yellow 'state', 'county', and 'city' and white US Gov license plates, but those might not be cops, just civil servants. Two of the PBCS deputies live next door to each other. The Ft. Lauderdale cop and the Broward deputy live opposite to each other. Two of the US Gov plated cars are parked by houses on the same block as the Border Patrol cop. No doubt there are lots of unmarked cars which don't have yellow plates.

    4. doke

      Re: Home Address?

      I've been told many apartment complexes around here offer discounted rent to police officers who frequently bring home a marked car. The complex wants the crime deterrent.

      1. Anonymous Coward
        Anonymous Coward

        Re: Home Address?

        Back in the 80s at NATO HQ in Belgium.

        We were supposed to buy unmarked local cars to avoid being obvious targets for IRA / RAF attacks.

        Unfortunately HQ had a deal with some local car dealer so everyone got identical white Merc E class, with local plates but every window covered in brightly coloured NATO parking passes.

        Since everyone lived in the same few suburbs it made a target you could see from orbit.

  5. ecofeco Silver badge
    Mushroom

    It's almost like...

    ... most of the Internet was designed and built in the cheapest way possible by the least competent companies run by people who think grifting is good business.

    1. jake Silver badge

      Re: It's almost like...

      This isn't about TehIntraWebTubes, per se, rather it's some more fine examples of IoT, and the mentality that drives it.

      1. deive

        Re: It's almost like...

        I'd go further than that and day it is a central tenant of capitalism, to maximise returns to investors produce the bare minimum you can get away with.

        1. Doctor Syntax Silver badge

          Re: It's almost like...

          "produce the bare minimum you can get away with."

          Which is why, as per a comment above, we need regulation to raise that bare minimum to something adequate.

          1. Charles 9

            Re: It's almost like...

            The government is fair game in caiptalism, too. You bribe, cajole, or vote in the most cooperative government you can. If all else fails, you bail out.

          2. thepenisyoulove

            Re: It's almost like...

            Government to the rescue! I can’t figure out how to change a password, please mommy government please spoon feed me and punish the guilty. More laws and more regulation surely fixed everything!

    2. fredj

      Re: It's almost like...

      Please don't forget the great British customer. They really know how to find a bargain even if they are clueless about what they are buying.

      I once worked for a company that bought a dedicated word processor for the price of half a dozen houses just as the first versions of MS office were hitting our desks. It was switched on once after the initialisation and very expensive training. (I did say told you so but was promptly told to shut up)

      Sorry, off subject but that is what you have to cope with when it comes to computer use.

      1. John Brown (no body) Silver badge

        Re: It's almost like...

        "Sorry, off subject but that is what you have to cope with when it comes to computer use."

        Sounds like a typical "no one ever got fired for buying IBM" moment :-)

  6. John Smith 19 Gold badge
    FAIL

    GPS location on the router home page.

    For PHB who are think the SoA in vehicle tracking is "I got a tab for every car. I just go to it and there's its position."

    unfu**ingbelieveable.

    Now the default password is not necessarily an issue.

    Provided (after you use it) it says "For security reasons please change this password to your preferred password, and record the new one in a safe place."

    The first bit should be easy. It's usually the latter (and tracking all of them together) where it get tricky.

    1. Doctor Syntax Silver badge

      Re: GPS location on the router home page.

      Now the default password is not necessarily an issue.

      Provided (after you use it) it says "For security reasons please change this password to your preferred password, and record the new one in a safe place."

      Not quite enough. The default password should only get you into a screen that says "For security reasons please change this password to your preferred secure password, and record the new one in a safe place. YOUR DEVICE WILL NOT BECOME OPERATIONAL UNTIL YOU DO THIS." And enforce minimum standards on acceptable passwords.

      1. Charles 9

        Re: GPS location on the router home page.

        No good. Too many complaints. AND some of them have enough money to cause trouble. If you can't make it turnkey, you're not doing it right.

        1. Pascal Monett Silver badge

          Security is not turnkey. It's time we stop people from putting wide-open stuff on the web.

          And please, don't tell me that you can't just type in some characters in a page. It's not that difficult.

          1. rmason

            @Pascal Monett

            He/We know that.

            What he means is many companies would actually see this as a downside, and go with the "easier to use" competitor.

          2. Norman Nescio Silver badge

            Default Passwords

            Changing a default password is not difficult. As you say, it can even be enforced* on 'first boot'.

            However, ensuring the new password is recorded properly and securely, and available to all those authorised to use it is rather more tricky. It certainly isn't right, but many take the view that having the password recorded in the documentation is positive, and changing it from the default is a disbenefit. You then also have the fun of deciding who should know the password: is it role-based, so any sysdamin for that system should know it, or should it be account based, so everyone who needs access should have their own account and password (which brings in a whole new level of pain and bureaucracy). Throw in a requirement for accounts to have 2FA, or single sign on, or conform to some other corporate standard or other, and you can understand why some people just keep quiet. It might not be right, but choosing the option that is most likely to give you and easy life here and now, rather than looking for bureaucratic trouble is, not unpredictably, a popular option.

            Password and account management is not standard across (IoT) hardware. There may not even be an applicable international standard.

            *Unless you do something like break out to a command prompt and bypass the 'first run' script. Not that I have ever done such a thing.

    2. GeekyDee

      Re: GPS location on the router home page.

      The first bit should be easy. It's usually the latter (and tracking all of them together) where it get tricky.

      Easy, seed with long passcode through a proper algorithm using the serial number/device name/etc. and spit out a somewhat secure password, not the greatest but better than default and easily tracked down/ recreated if needed

  7. Primus Secundus Tertius

    It should just work

    For any other type of product, such as the police car itself, the customer expects it to just work.

    It is time the computer industry stopped blaming the customer and made better products.

    1. DCFusor

      Re: It should just work

      Oh, so the secret password of all the devices should still be the same for all and not need to be changed?

      Oh, make it different for each and write it down for them - that'll work...it'll never leak...

      Tun off the functionality? Then it just doesn't work.

      People who use the word should be can't point to a working way to do what "should" be done...sigh.

      1. Charles 9

        Re: It should just work

        As they say, that's YOUR job. Either JFDI or come up with a Turing-style disproof so you have an alibi to put in front of a judge.

      2. John Brown (no body) Silver badge

        Re: It should just work

        "People who use the word should be can't point to a working way to do what "should" be done...sigh."

        Well, from my perspective, the bloody obvious way is for the management software back at home base to manage all the individual passwords for each device. And that should be well locked down. Yes, that home base, locked down solution might also be vulnerable and that mean access to the fleet, but that's still better than the fleet being open to everyone, all of the time.

    2. harmjschoonhoven
      WTF?

      Re: It should just work

      The solution is evident. When a device with a fixed username / password, like user/12345, rolls from the belt or better at the final acceptance test, it is hooked up to a computer that logs in, sets username and password to a random value and prints a label. This should than be enforced by law to convince the beancounters of the world.

      The device can than be marketed as "Now with improved security bla bla bla".

      1. Anonymous Coward
        Anonymous Coward

        Re: It should just work

        ... random passwords printed on a label......

        isn't that how wifi-routers have been, like, for ages?

      2. thepenisyoulove

        Re: It should just work

        That should be enforced BY LAW? Is there anything in your life that you are okay without the government in it?

    3. eldakka

      Re: It should just work

      It should just work

      For any other type of product, such as the police car itself, the customer expects it to just work.

      It is time the computer industry stopped blaming the customer and made better products.

      No-one should need to learn how to drive and get a drivers license, it should just work.

      No-one should have do a mechanic's apprenticeship to become a mechanic, cars should just fix themselves.

      No-one should have to go to university for 6 years to become a doctor, health should just work.

      No-one should have to spend 1000 hours learning how to fly a plane, it should just work.

      No-one should have to learn to read and write, it should just work.

      No-one should have to learn to sew, clothes should just patch themselves.

      IT and computer devices are still a technical field. People still need to learn some basic IT to use IT devices. Jut because IT is ubiquitous doesn't mean it doesn't (or shouldn't) require some level of knowledge, some learning curve. Do you really expect someone who's never driven a car before to be able to be put behind the wheel of a manual and just drive it around town, knowing the road rules, the techniques (not just steering the car, but how to keep constant speed, what to look out for)?

      Why do people expect highly complex, highly technical, devices to require less knowledge and skill to use than getting a drivers license?

  8. Paul Johnson 1

    Stingray list?

    So if I'm understanding it correctly, these things are Stingrays or similar devices (https://en.wikipedia.org/wiki/Stingray_phone_tracker). The EFF has been trying to find out about police using these devices, as their ability to spy on individuals without a warrant is a matter of concern. https://www.eff.org/search/site/stingray

    1. John Sager

      Re: Stingray list?

      The article seems to suggest it's a router to Internet over cellular service, like the hotspot function on your smartphone. One assumes that the admin port on Stingrays is a bit more secure but then we all know how even the things you would expect to be secure, so often aren't.

      1. Paul Hovnanian Silver badge

        Re: Stingray list?

        "One assumes that the admin port on Stingrays is a bit more secure"

        Not really. Many of these units are loaned to local police departments by the Feds or larger state police forces. With equipment moving back and forth, managing actual unique and secure passwords would be problematic. Never mind switching to non default TCP/IP ports.

        And it appears that the location data is available without needing to log in. Just port scan the appropriate IP blocks, find an Internet-facing cellular gateway and the login page has the latitude/longitude.

        1. eldakka

          Re: Stingray list?

          Many of these units are loaned to local police departments by the Feds or larger state police forces.

          Typically in that context, "loaning" includes both a device and an operator for said device.

  9. Adrian 4

    I have a cradlepoint (cradlepoint.com) device that's a mobile router with a gps receiver. it can conveniently fail-over from ethernet to wifi to 4G for the upstream connection. So yes, a hotspot.

  10. Anonymous Coward
    Anonymous Coward

    Why did they have to pull the terrorist card?

    "If it weren’t for white hat researchers, we would be finding out about discoveries like this from news media after a terror attack"

    No you bloody wouldn't, because if I want to publicise my cause by violent means I will just attack the police station, the address of which I can get from the 1995 phone book.

    On the other hand, they could have mentioned how handy knowledge of the position of patrol cars is for burglars of all levels of sophistication. The old fashioned way of doing this was to have associates physically tail the police and report if they were getting close to the area of the crime and/or create a distraction if they did.

    That, in my humble view, is an instant and quite unnecessary loss of credibility by the researchers: they may be good with the clickety stuff but comments like the above show no awareness of the wider picture.

    1. keithpeter Silver badge
      Windows

      Re: Why did they have to pull the terrorist card?

      "...if I want to publicise my cause by violent means I will just attack the police station, the address of which I can get from the 1995 phone book."

      Er, actually, near me in the UK, you'd be blowing up an Aldi, a car park, some new houses, and a large hole in the ground. And more stations are closing soon apparently. We see a patrol car about once a week, and the helicopter flies over when the football is on. Haven't seen an actual police officer walking a beat for five or six years or so.

      I live one mile from the centre of a city of 1 million by the way.

      1. Glen 1

        Re: Why did they have to pull the terrorist card?

        >1 million.

        Birmingham or Manchester? :P

        1. keithpeter Silver badge
          Pint

          Re: Why did they have to pull the terrorist card?

          Brum

          Well spotted

    2. John Brown (no body) Silver badge

      Re: Why did they have to pull the terrorist card?

      "No you bloody wouldn't, because if I want to publicise my cause by violent means I will just attack the police station, the address of which I can get from the 1995 phone book."

      Not here in the UK if you want any sort of decent hit rate. Most of those 1995 addresses are bare land, housing estates or anything BUT a police station these days.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why did they have to pull the terrorist card?

        > Not here in the UK if you want any sort of decent hit rate.

        Yes I did think about it. Admittedly, it does make the reconnaissance part a bit more costly than it needs to be, but think about the smugness as they pour through your digital devices looking for planning evidence.

        Plus I think the audience will like the retro twist when we sell the film rights.

    3. strum

      Re: Why did they have to pull the terrorist card?

      >No you bloody wouldn't, because if I want to publicise my cause by violent means I will just attack the police station

      You have been conditioned into believing that 'terrorism' is confined to mad beardies with suicide belts. But there are more sophisticated terrorists about. Northern Ireland has seen many, many personal attacks on policemen/women - at their homes.

  11. Herby

    Default passwords...

    They should do a HARD crash if it remains the "default" after a set time (1 week sounds fine). If it remains, reduce by half each subsequent restart until it "bricks" and it won't do anything.

    The other suggestion of no functionality until a password is set also sounds good to me.

    I am reminded of an operating system from the late 60's that had its system password set to an address that changed with every system generation. You had to look at the listing to figure it out. So, it can be done.

    1. Charles 9

      Re: Default passwords...

      Except there will be people who just don't get it and will complain to the point of filing lawsuits for defective products. And some of the complainants will have enough money or connections to cause problems regardless of fault, unless there's some king of law in the books that penalizes "being bloody stupid".

      1. JulieM Silver badge
        Joke

        Re: Default passwords...

        Maybe it's a user-interface problem?

        The people who have such difficulties with passwords tend to be the same people who don't mind having bunches of keys and combination locks protecting stuff that doesn't really need it. So instead of a password, why not have physical Yale and Chubb locks that take actual keys, and a numeric keypad?

        1. Charles 9

          Re: Default passwords...

          I'd given a thought to that, actually (BEING SERIOUS HERE). In the old days, some PCs actually had locks on them so that if they're turned one way, the keyboard was disabled. Perhaps they should re-institute the key lock, flip-covered button, or some other form of physical safeguard. It doesn't necessarily have to be high security for this case (though they can be for when necessary like enterprise applications), just not meant to be tripped accidentally AND physically separate from the normal user interface to reduce the chance of click fatigue/zombie action.

          1. jonathan keith
            Flame

            Re: Default passwords...

            Frankly, if someone can't understand or be bothered to carry out a single straightforward instruction, they're a danger to themselves and others and shouldn't be permitted to use the thing.

            1. Charles 9

              Re: Default passwords...

              So you're going to demand laws regulating things used in the privacy of their homes? Slippery slope here. At least cars run on government-funded roads.

              1. Boothy

                Re: Default passwords...

                Quote: "So you're going to demand laws regulating things used in the privacy of their homes? Slippery slope here. At least cars run on government-funded roads."

                How is this really any different than say gas or electric appliances in a home?

                With a home's gas and electric supplies, these are (usually) connecting to public infrastructure. As this is public infrastructure (although typically owned and managed by one or more private companies), you are governed by legislation, to make sure your house is up to standard (up to code), i.e. it's safe, the gas isn't going to leak, your hopefully not going to have an electrical fire etc.

                There is very little difference to me, between that, and making sure anything connecting to the public Internet is also 'up-to-code'.

                1. Charles 9

                  Re: Default passwords...

                  Last I checked, though, the Internet can't directly cause a fire and damage neighboring property (including PUBLIC property like the nearby street): allowing an overriding public interest like with the cars. Plus, most Internet infrastructure is privately owned.

  12. John H Woods Silver badge

    Easy consumer law regulation

    Just fine companies some % of turnover for using the same user/pass combination on more than one item.

    Even just using digits from the serial number would be safeR than default credentials.

    1. Anonymous Coward
      Anonymous Coward

      Re: Easy consumer law regulation

      So what happens when (not if) the company finds a legal way to wipe out their turnover?

      1. strum

        Re: Easy consumer law regulation

        >So what happens when (not if) the company finds a legal way to wipe out their turnover?

        Then they cease to exist. (hint: turnover =/= profit)

        1. Charles 9

          Re: Easy consumer law regulation

          "Then they cease to exist. (hint: turnover =/= profit)"

          Hint: That's what lawyers and accountants are for. Ever heard of tax avoidance? If it costs less to hide their turnover than to pay the fine, they'll find a way to do it. Worse comes to worse, they'll cajolr the public into changing the laws.

  13. Rockets

    Why an Internet APN?

    I find it interesting that these cellular gateways were connected to a APN that was public Internet. I would have though that the police & fire departments would connect these devices to a APN that connected them to a private network that only those departments could access.

    This is what we do with our WAN routers which have 4G failover for the primary MPLS connection. The 4G IP addresses are routable via the MPLS the telco provides us. The PPP AAA from the 4G interface is even routed to our own RADIUS servers so I can set the username, password, IP address the interface gets as well as defining static routes via RADIUS for these connections. We also have some sites that 4G is their only connectivity and they connect this way too. It took a little bit of effort to set this up with the telco in the beginning but it's one of their standard offerings for enterprise customers so it wasn't that hard either. Not exactly rocket science, but we change the default credentials too and apply security updates when required.

  14. David Roberts
    Unhappy

    What about the trucks?

    Loads of speculation about the police, but from my reading of the article this tracking technology is also used for tracking commercial vehicles. Much used in fleet logistics (though not necessarily all using these dodgy gateways).

    In the UK delivery services such as DPD provide live tracking of the delivery van via a web page. So the delivery vans must be updating the central server.

    I imagine security vehicles moving cash and other valuables around (such as collection/delivery for banks and major stores) are tracked to the inch. It would be good to know if the huge amounts of cash in transit (other brands of van are available) are being tracked via insecure gateways. Likewise ambulances and fire engines.

    Not all these scenarios will be a significant threat, but if you can track a truck known to carry high value cargo this must create opportunities for criminals.

    1. Charles 9

      Re: What about the trucks?

      If a cargo is REALLY high value, it's bound to have guards and other safeguards (such as using an armored truck). It's very hard to transport something very valuable very secretly. Even if you try obfuscation, you can never rule out the possibility of moles.

  15. SkippyBing

    On the plus side

    They should be able to find everyone to tell them to upgrade their software!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like