Discovering that a Bluetooth car battery monitor is siphoning location data

• A Bluetooth enabled battery monitor that data car battery voltages. The {hardware} requires a smartphone for pairing
• The product collects GPS co-ordinates, cellphone tower data and close by Wifi beacons
• Location data is despatched over the Internet to servers in Hong Kong and mainland China
• App retailer misleads shoppers by stating that no private data is collected or shared. Since the Android app requires location permissions to make use of the {hardware} system, customers are successfully pressured to constantly broadcast their bodily location to third events with a purpose to use the product.

There are not any reliable purpose for a car battery monitor software to trace it’s person’s location. With over 100,000 downloads on Android alone, this raises vital privateness considerations

In this three half collection:

• Part 1 – This web page
• Part 2 – Reverse engineering the AMap SDK location monitoring options
• Part 3 – Reimplementing BLE performance and acquiring the firmware

Within this collection of posts, we discover the invention of an Bluetooth enabled battery voltage product, acquired from a fashionable electronics retailer in Australia. What began as an preliminary hunch lead me down rabbit a rabbit gap to find that the app covertly tracks the customers bodily location. It collects GPS co-ordinates, neighbouring cellphone tower location data and Wifi entry factors, sending this data to cloud servers in Hong Kong and mainland China.

At the time of writing, location data is despatched to:
dualstack-cgicol.amap.com/ 106.11.130.194 (Alibaba Cloud, Beijing) and
bm2.quicklynks.com / 47.244.125.231 (Alibaba Cloud, Hong Kong)

Partly accountable for the in depth data assortment is an embedded library used, known as AMap, which is a “leading provider of digital map in China”.

Acquired by Alibaba, it is acknowledged that “In 2018, Amap became the first Chinese maps service to navigate a path to 100 million daily users”. In half 2 we glance underneath the hood at how AMap is not solely amassing the GPS co-ordinates, but additionally each different attainable location data the telephone can acquire – surveying Wifi and telecommunication cellphone tower data.

The Android software which connects to the battery monitor system, BM2 100K+ downloads, with 1.55K evaluations.

The iPhone iOS model might be discovered right here. While I’ve not peformed any static evaluation on the iOS decompilations so far, inspection of the community visitors from the telephone reveals that that the Apple iPhone model is additionally sending location data to distant servers.

Feel free to succeed in out to me on twitter for partially reverse engineered decompilation of the sources referenced. The subsequent posts ought to present sufficient element for others to independently confirm what is being reported.

I acquired the automobile battery monitoring Bluetooth system bought underneath the model PowerTech from a fashionable Australian electronics retailer, Jaycar Electronics.

This seems to be a re-branded Bluetooth 4.0 Battery Monitor by a firm known as Leagend which is obtainable on Amazon for buy.

It’s resold underneath native manufacturers, for instance one other fashionable auto retailer, Repco, sells it underneath the Century model.

Other system names are “ZX-1689” and “Li Battery Monitor” which the applying appears for within the system title of the promoting BLE beacon that are indentified in part3.

The system is fairly easy – you join it to the terminals of a battery and pair it together with your telephone. It exhibits the battery voltage/share and permits you to run some crank checks. That’s what’s marketed.

Additionally, the required software runs within the background, successfully turning a sensible telephone into location scanning system. Having your telephone develop into a steady Wifi scanner drains the battery – and this isn’t one thing reliable software builders need. People do complain about points prompted. Patrick’s evaluate of the BM2 app would agree:

While we are able to’t clarify the reliable purpose a battery voltage monitor would want to know your GPS location, a charitable rationalization of the AMap SDK amassing GPS, Wifi and cell tower data is they’re making an attempt to do what Google and Apple already do – construct a relational database, mapping telephone cell towers and wifi entry factors to GPS co-ordinates. When a telephone has unhealthy GPS sign, figuring out the adjoining Wifi entry factors or telephone towers inside reception might help improve accuracy.

The AMap builders go to lengths to hide the behaviour, encrypting any data earlier than it touches disk or despatched over the Internet. Location data is encrypted with ephemeral AES keys which is then encrypted with a public RSA key. This removes the dependency for certificates pinning and ensures man-in-the-middle inspection of the community visitors is not attainable with out modifications to the applying or acquiring the corresponding non-public RSA key.

Data privateness

Note: As of twenty seventh of June 2023, the BM2 app developer have up to date the privateness statements on each the Google Play and Apple App shops – now mentioning that exact location data is being collected.

The following is acknowledged on the BM2 app Android Play retailer:

One by one, let’s evaluate the statements claimed:

1. No data shared with third events

• In addition to your battery statistics (e.g. voltage), the latitude and longitude co-ordinates of your location is despatched to the BM2 software cloud servers, quicklynks.com
• Crash analytics are despatched to a third occasion Chinese firm, umeng.com
• Wifi, cellphone tower and GPS co-ordinates are despatched to a Chinese firm, AMap

2. No data collected

• Self explanatory

3. Data is encrypted in transit

• Data despatched to the BM2 cloud servers is unencrypted

How about on the Apple retailer? take a look

The privateness coverage effective print does point out “Hong Kong” and “location information”. We all learn the effective print proper?

Location and Android permissions

For the applying to work, you could give the Android software permissions that let it acquire location data in any other case it received’t work: For Bluetooth scanning, Android requires this permission. At least with the iOS model, you may hit “deny” when it asks for location permissions and the battery monitor system will nonetheless work.

To broaden on the rationale cited, it’s finest defined from Android’s developer documentation:

To present customers with better data safety, beginning on this launch, Android removes programmatic entry to the system’s native {hardware} identifier for apps utilizing the Wi-Fi and Bluetooth APIs.
To entry the {hardware} identifiers of close by exterior gadgets through Bluetooth and Wi-Fi scans, your app should now have the [ACCESS_FINE_LOCATION] or [ACCESS_COARSE_LOCATION] permissions.

I might argue that such a broad permission that covers each Bluetooth, GPS and Cell data provides decrease data protections – because it opens up app builders to abuse this permission as we see with the BM2 software that actually simply requires BLE scanning. BLE scanning might be achieved with simply BLUETOOTH_SCAN, obtainable on Android 12+.

Update 2023-06-27 Google present additional steering right here. It is attainable to specify ACCESS_FINE_LOCATION with android:usesPermissionFlags set to by no meansForLocation. This is just for when Bluetooth scan outcomes are used to derive bodily location. That doesn’t appear to be the case right here although.

Our curiosity lies largely within the telephone functions that interface with the {hardware}, though it’s customary to no less than take a peek inside and discover what the probabilities are for pulling off the firmware.

Not a lot too it; some voltage regulators and a single SoC – a Texas Instruments CC2541) multi function Bluetooth Low Energy MCU. Datasheet right here. Some attainable debug ports are noticed:

The CPU is primarily based on an 8 bit Intel 8051. Later revisions of the CC collection use ARM cortex structure.

According to the specs, the CC collection SoCs help on chip debugging through a proprietary interface – No JTAG or SWD to be seen right here. This means we’ll want the CC Debugger or strive some customized Arduino implementation, though this particular IC is not supported. As the system helps over-the-air updates, there is a REST endpoint which can return the firmware over HTTP, documented partially 3

It seems there is no shunt or different present sensing circuity. Hardware smart, this actually is so simple as it will get.

The take a look at setup

For testing I’m utilizing a small led acid 12v battery with the BM2 battery monitor and a rooted Android handset which will probably be used for dynamic instrumentation.

Notably, the setup sat on my desk. As we uncover partially 2 of this weblog publish collection, the AMap location data is solely written to it’s database from reminiscence when it detects you’re bodily transferring. To overcome this and different hurdles, Frida and Objection used extensively to instrument the working software program in run time.

Intercepting community visitors

Mitmproxy is a defacto “in the middle” proxy software program and it now helps a new mode utilizing wireguard. What this implies is it’s extraordinarily trivial (and fast) to peek inside cellular software visitors with minimal configuration. Once the Wireguard software is put in on the handset, merely mitmweb --mode=wireguard and take a scan the QR code on display by taking a picture from the handset. Immediately all visitors from the handset will probably be despatched over a Wireguard tunnel to mitmproxy. Browsing to http://mitm.it then permits you to obtain a certificates so as to add to the belief retailer. With iOS the method is trivial. Android has now made it tougher to do, and on this case I had to make use of a rooted handset.

Note: Since the BM2 doesn’t use HTTPS, there is no must even set up a certificates. What this implies is that anybody can independently establish that their latitude and longitude co-ordinates are being despatched on both iOS or Android with no modifications to their telephone.

After the applying connects to the battery monitor system, we see a POST request is despatched to http://bm2.quicklynks.com:8080/api/bm2/userDevice/upload?.

Latitude and longitude fields are highlighted in inexperienced.

At the time of writing, this server resolves to a host in Alibaba cloud, HK:

$ host bm2.quicklynks.com
bm2.quicklynks.com has deal with 47.244.125.231

$curlhttps://ipinfo.io/47.244.125.231{"ip":"47.244.125.231","city":"Sham Shui Po","region":"Sham Shui Po","country":"HK","loc":"22.3302,114.1595","org":"AS45102 Alibaba (US) Technology Co., Ltd.","timezone":"Asia/Hong_Kong",}

In this particular request we additionally see a pattern of the battery voltages, the {hardware} MAC deal with of the system (nickname and serialNo).

constlat=39.1090;constlng=-76.7700;Java.carry out(operate (){varhookedClass="android.location.Location"varLocation=Java.use(hookedClass);Location.getLatitude.implementation=operate(){console.log("[+] "+hookedClass+"new lat:"+lat);returnlat;}Location.getLongitude.implementation=operate(){console.log("[+] "+hookedClass+"new lng:"+lng);returnlng;}})

Memory evaluation

As acknowledged earlier, GPS, Wifi and cell data is gathered by the embedded AMap library. The code is obsfucated to make reverse engineering extra time consuming. Anything that touches disk or the community is encrypted serialized binary blobs. This requires some fast wins with dynamic instrumentation because the code runs on a handset whereas paired to the {hardware} battery monitor.

For instance, we are able to peek inside the applying’s heap reminiscence. For this we’ll use a plugin for Objection known as Wallbreaker. After some fast evaluation of the AMap library we all know what class names to seek out cases in reminiscence (click on footage to broaden):

GPS data:

Telecommuncation supplier cell data:

Wifi data (toString() enumerated):

Decompilation

First let’s seize the APK straight off the handset. We may in fact get a copy from APK pure too from right here

First establish the applying title identifier which is com.dc.battery.monitor2:

Obtain the trail of the APK and pull it from the system with adb shell pm path then pull it off the telephone.

JADX is our alternative for the de-compiler, and it’s simply nice. Opening the .apk and it handles every part in a single shot, from decompression to de-compiling the java bytecode into Java.

The very very first thing is to test the permissions in AndroidManifest.xml after opening the APK in APK in jadx-gui

The hightlights in inexperienced raises a few questions. We have defined why FINE_LOCATION is required, however why would a battery monitor software wants CAMERA, IMAGE_CAPTURE, ACTION_VIDEO_CAPTURE, MODIFY_AUDIO_SETTINGS and RECORD_AUDIO ?

At this level it’s attainable that this performance is unused. More investigation is wanted right here.

Very shortly we see that the decompilation of the java bytecode immediately from the APK is going to be problematic. The entrypoint is com.stub.StubApp which has strategies names obsfucated with xor encryption which signifies there is extra work to do.

Fortunantly it’s apparent that a business software program packer known as qihoo.util has been used. Zimperium has a good writeup on this packer because it’s typically discovered employeed in Chinese primarily based cellular malware. It’s considerably superior within the sense that the unpacked software program is encrypted and packed into native, compiled library. People have written unpacking instruments that declare to deal with this packer reminiscent of android-unpacker. Given that builders typically replace and alter their packing methods, the unpacker instruments within the public area can shortly develop into outdated.

As such we'll take a lot simpler strategy - through the use of frida-dexdump it’s attainable to dump the unique (unpacked) cellular software Dalvik executable bytecode from reminiscence after opening the applying on the handset.

Qihoo 360 is not with out their very own contraversy, being “placed on the Bureau of Industry and Security’s Entity List due to U.S. national security concerns”.

After putting in dexdump (e.g. pip3 set up frida-dexdump), run it after opening the applying:

frida-dexdump -U -f com.dc.battery.monitor2 -d

Use dex2jar to covert courses.dex to java bytecode:

./d2j-dex2jar.sh ./com.sec.android.app.samsungapps/courses.dex

We can the use jadx to then decompile into readable java and now have the unique software code, technique names, variable names for com.dc.battery.monitor2, as no additional obfuscation was carried out outdoors of the preliminary packing/encrypting.

The exception right here is the amap location providers SDK library which was initially obsfucated which can make our time a little tougher to reverse these components. Fortunately class names are recoverable for the AMap associated courses by deciding on instruments -> deobsfucation in JADX.

While the variable or technique names are random(ish) strings, the recovered class names are descriptive sufficient that with some effort the operate of the courses and strategies is recognized with technique and variables renamed appropriately by hand.

Next up, partially 2 we'll examine how the embedded AMap SDK is not solely sending the GPS co-ordinates, however Wifi and telecommunication cell tower data.