RTLS Systems Vulnerable to MiTM Attacks, Location Manipulation
Security researchers have uncovered multiple vulnerabilities impacting UWB (ultra-wideband) RTLS (real-time locating systems), enabling threat actors to conduct man-in-the-middle attacks and manipulate tag geo-location data.
RTLS technology is widely used in industrial environments, mass transit, healthcare, and smart city applications. Its primary role is to assist in safety by defining geofencing zones using tracking tags, signal reception anchors, and a central processing system.
Tampering with the limits of hazard zones or the position of people in these environments can have dire consequences for their health and safety.
Nozomi analysts focused on the Sewio Indoor Tracking RTLS UWB Wi-Fi kit and Avalue Renity Artemis Enterprise kit, two widely used RTLS solutions that support the safety functionalities described above.
The tracking tags communicate with the anchor via UWB signals, while the anchors use Ethernet or Wi-Fi to transmit or receive data from the central computer.
If Wi-Fi is selected, both devices use a custom binary network protocol for communications. However, since there’s no encryption in the data, Wireshark captures of the network packets make reverse engineering possible.
The prerequisite for capturing those packets is to break into the Wi-Fi network, which is WPA2-PSK-protected. However, both vendors use a weak default password that may not be re-configured during installation, so many deployments are easy to breach.
If a remote attacker manages to compute the position of the anchors to derive the relative position of the tracking tags, they would be able to send arbitrary values to the central computer by forging sync and positioning packets.
Nozomi says the key information of anchor positioning can be derived through the transmitted power levels and timestamps, which indicate tag distances from the anchor points. However, physical access to the target area would simplify this process.
Apart from data manipulation, an attacker may eavesdrop to track assets and people positions, either for stalking and reconnaissance or for locating a valuable item.
Movement patterns can be recorded and replayed during attacks to imitate realistic tag movement, like a guard on patrol, for example.
Tampering with geofencing
An attacker with access to the RTLS system can alter the position of a tag as needed to allow entrance to a restricted area or to raise false alarms and disrupt production line operations.
Additionally, personnel could be put at physical harm risk by making them appear outside the proximity of machine safety zones, which would continue operating as if nobody was around.
If the threat actor aims to steal a valuable item tracked by a tag, they could manipulate its position to make it appear stable inside a protected zone while physically removing it from the monitored area without raising any alarms.
Nozomi suggests that admins of RTLS systems should use firewalls to restrict access, add intrusion detection systems in the network, and use SSH tunneling with packet synchronization counter-values for data encryption.