https://www.eff.org/deeplinks/2022/03/eff-investigation-mystery-gps-tracker-supporters-car Skip to main content * About + Contact + Press + People + Opportunities * Issues + Free Speech + Privacy + Creativity and Innovation + Transparency + International + Security * Our Work + Deeplinks Blog + Press Releases + Events + Legal Cases + Whitepapers + Podcast * Take Action + Action Center + Electronic Frontier Alliance + Volunteer * Tools + Privacy Badger + HTTPS Everywhere + Surveillance Self-Defense + Certbot + Atlas of Surveillance + Cover Your Tracks + Crocodile Hunter * Donate + Donate to EFF + Shop + Other Ways to Give + Membership FAQ * Donate + Donate to EFF + Shop + Other Ways to Give * Search form Search [ ] --------------------------------------------------------------------- Email updates on news, actions, and events in your area. Join EFF Lists * Copyright (CC BY) * Trademark * Privacy Policy * Thanks Electronic Frontier Foundation Donate [podcast-si]Podcast Episode: Hack to the Future [podcast-si] Electronic Frontier Foundation * About + Contact + Press + People + Opportunities * Issues + Free Speech + Privacy + Creativity and Innovation + Transparency + International + Security * Our Work + Deeplinks Blog + Press Releases + Events + Legal Cases + Whitepapers + Podcast * Take Action + Action Center + Electronic Frontier Alliance + Volunteer * Tools + Privacy Badger + HTTPS Everywhere + Surveillance Self-Defense + Certbot + Atlas of Surveillance + Cover Your Tracks + Crocodile Hunter * Donate + Donate to EFF + Shop + Other Ways to Give + Membership FAQ * Donate + Donate to EFF + Shop + Other Ways to Give * Search form Search [ ] An EFF Investigation: Mystery GPS Tracker On A Supporter's Car DEEPLINKS BLOG By Cooper Quintin March 28, 2022 Locational Privacy Urban An EFF Investigation: Mystery GPS Tracker On A Supporter's Car Share It Share on Twitter Share on Facebook Copy link Locational Privacy Urban Being able to accurately determine your location anywhere on the planet is a useful technological trick. But when tracking isn't done by you, but to you--without your knowledge or consent--it's a violation of your privacy. That's why at EFF we've long fought against dragnet surveillance, mobile device tracking, and warrantless GPS tracking. Several weeks ago, an EFF supporter brought her car to a mechanic, and found a mysterious device wired into her car under her driver's seat. This supporter, who we'll call Sarah (not her real name), sent us an email asking if we could determine whether this device was a GPS tracker, and if so, who might have installed it. Confronted with a mystery that could also help us learn more about tracking, our team got to work. Sarah sent us detailed pictures of the device. It was a black and gray box, about four inches long, with a bundle of 6 wires coming out of one end. On one side, the words "THIS SIDE DOWN" were printed in block letters, next to three serial numbers. img_8180.jpg A GPS tracker found in a car. The front reads "this side down." There are three barcodes and wires coming out of the end. First, we wanted to confirm that this was, in fact, a GPS device. We started by searching for the device's FCC ID in the FCC's database. Each device that has a radio transmitter or receiver is required to have an FCC ID. With that ID you can find manuals, pictures, and even internal schematics on any device the FCC has reviewed. The FCC search confirmed that the device was a GPS tracker sold under the brand name "Apollo," and made by a company called M-Labs. According to the manual, the Apollo can track a car's location, then send the location to a server over a cellular connection. The manual also said the Apollo had a special type of port for communicating with the device, known as a UART serial port. Using this port, we could interact with the device in order to find out more about it. A quick web search search also revealed that a number of people all over the US had found these exact devices in their cars. Some people believed the GPS trackers were being installed by dealerships for repossession, or by rental car companies for fleet tracking. We told Sarah what we had found, and agreed that with direct access to the GPS tracker, we might be able to find out when it had been installed, and therefore who had installed it. If it was installed at the time she bought the car, or before that time, then it could have been installed by the dealership. If it was installed after that date, then it's possible that Sarah had a stalker who had installed the device. The device was put in the mail and sent to our offices. A few days later we received the Apollo and got to work. The first step was to pry off the case and get access to the internal components. We wanted to find the UART connectors, which would give us the ability to get diagnostic information out of the Apollo's cellular modem. img_8181.jpg The apollo GPS tracker opened up with the internal circuit board visible Typically UART comes in a series of four pins, or at least four holes in a row, but this board didn't have anything like that. Looking closer, we noticed that there were some very tiny contact pads labeled ART1, RX, and TX. We decided to start there. img_8190.jpg A close up of the Apollo GPS tracker circuit board hilighting the UART connections. Let's take a step back and discuss why getting access to the UART port was so important. UART stands for Universal Asynchronous Receiver and Transmitter. It is both hardware, and a protocol. The UART protocol lets you receive input and output over common copper wires by sending and receiving bits one at a time, encoded by either high or low voltage (the technical term for this is a "serial bus.") The hardware interface is typically 4 connections: voltage, ground, receive (rx), and transmit (tx). Put simply, the UART connection lets you interact with the hardware as if you had a keyboard and monitor attached directly to it. To connect to the UART bus on the GPS device we used a fun little tool called a "Bus Pirate." The Bus Pirate lets you connect to different hardware interfaces, including UART, and turns them into a USB interface that you can connect to with your computer. We connected the Bus Pirate to a computer and gingerly held its wire probes against the contact points labeled RX and TX on the board, and set the Bus Pirate to connect over UART. The Bus Pirate sprang to life and returned the following: 3fb{= ^Hx?~H? ?a>88N'?0 ~ s2G It was nothing but gibberish. We decided to try using different baud rates, that is, the rate at which symbols are transmitted in an electronic communication. We finally discovered that an 115200 baud rate was what was needed to get coherent communication from the device. In between lines of more gibberish, we saw some readable text pop up: x V D~L"Bb3>3(PK P @ 0_q B! [ FW:2.4.3; BIN:1.1.95T; MEID:A100005B46F154 IP:10.90.1.52:3078; LPORT:3078 RI:0,0,0; DTE:0,0,0,0,0,0; DI:0; HB:0; NR:2940,0,0; RS:0,900 CI}|>0oP D39@ KG_ C : (@ Success! We finally had some data out of the GPS device, but why was it still surrounded by garbage data? For the answer to this, we have to look again at how UART works. Since UART is just measuring voltage differences on the RX and TX pins, anything that interferes with those voltages will change the input and output. In this case, an EFF team member's hand was holding the Bus Pirate pin to the transmit connector of the GPS device, and that was creating extra interference, which then got interpreted as data coming from the GPS device, causing the garbled output. Next, we soldered an RX and TX wire directly onto the GPS board and connected it to the Bus Pirate. After turning on the GPS device again, the output came out clean! FW:2.4.3; BIN:1.1.95T; MEID:A100005B46F154 IP:10.90.1.52:3078; LPORT:3078 RI:0,0,0; DTE:0,0,0,0,0,0; DI:0; HB:0; NR:2940,0,0; img_8214.jpg The Bus pirate connected to wires soldered to the GPS tracker. The GPS Tracker is also connected to a 9 volt battery. Now that we had a connection we could communicate with the Apollo's cellular modem by typing what are called "AT commands." AT commands are the standard way that humans and machines can interact with a cellular modem. They are called AT commands because they universally start with the letters "AT." For example: the command "ATD" would let you dial a number, and the command "ATA" would answer an incoming call. We entered a basic AT command to determine whether things were working, and got nothing back. We tried several more AT commands and still nothing. We had been hoping to at least get an error code back but the cursor sat there, blinking at us like a patient dog, not understanding a word of what we were saying. After several more hours of cursing, reading docs, banging our heads against the wall, and self medicating, we figured out the problem: we hadn't connected the ground pin. The UART connection was incomplete. Our carefully typed AT commands were not being sent to the waiting GPS device. Not wanting to get out the soldering iron again, we carefully placed a ground wire from the Bus Pirate onto the ground plane of the GPS device. It worked! We were able to send AT commands and get back data. FW:2.4.3; BIN:1.1.95T; MEID:A100005B46F154 IP:10.90.1.52:3078; LPORT:3078 RI:0,0,0; DTE:0,0,0,0,0,0; DI:0; HB:0; NR:2940,0,0; RS:0,90000,0 Ready ATZONRS ERROR ATZ OK AT+IONRS ERROR AT+IONRS? ERROR AT+IONVO ERROR AT+IONVO? 17569 The manual for the Apollo listed several special built-in AT commands for retrieving data. Under certain conditions, the device would generate a report of its activities, including its location history. This report is also what gets sent to the GPS tracker's owner. We hoped that the report would also contain information about when and where the Apollo was first activated. We tried various commands for several hours, trying to get a report out of the GPS device. All of our attempts failed. The documentation for the device was severely lacking. We wrote to M-Labs, the manufacturing company, hoping they would kindly send us a better manual, but never heard back. Eventually we tried a command which would tell us the number of miles on the device's "virtual odometer." The answer: 17569, apparently the number of miles this device has traveled. Now we were getting somewhere. If our supporter Sarah had driven this car less than 17,000 miles, we could be certain it was installed before she had the car. We called Sarah and told her the news. We asked how many miles were on the car? Unfortunately, Sarah had driven the car 29,000 miles since buying it, and she had bought it new, with less than 200 miles on it. This would seem to lead to an unsettling conclusion: could our supporter have a stalker? Our odometer finding wasn't a sure thing, though. Given the sparse documentation, we couldn't be sure how accurate the virtual odometer was, or even how it worked. There was also the possibility that the device could have been reset at some point. We were going to need more information for a definitive answer to this mystery. We tried once again to get the report out. Several more days and several hundred curse words later, we still couldn't devise a way to get the GPS to print the report that the manual promised. We began to believe the report would contain all the answers we were looking for--perhaps even the answers to life, the universe, and everything. We had tried every command and every trick we could think of. Staring at a dead end, we decided it was time to take the low tech approach. Sarah said that when she first found the device she had asked her dealership if they ever installed GPS devices in the cars they sold. Dealership employees swore that they had never done such a thing. While we couldn't know for sure if that was true, it was a mechanic from that dealership who first found the device, so we were inclined to believe them. Sarah also mentioned that the car had been transferred from another Audi dealership in Orange County, California, when she bought it. Could they be the culprits? We called the original dealership and asked if they were familiar with this hardware or if they install GPS devices in their customers' cars. The dealership told us that they used to work with a company called Sky Link to install anti-theft devices, but didn't activate them unless the buyer paid for the service. Could this be an explanation for this rogue GPS device? We wanted to confirm that this device did indeed belong to Sky Link. Looking at their website it seemed to have not been updated in years. It even contained a widget for Adobe Flash, a very old way of creating animation on websites. Still, there was a customer service number. We called Sky Link and asked if they could confirm whether this was one of their devices. The car's VIN (Vehicle Identification Number) wasn't in their database as having ever been activated. We had one last idea. We gave them the serial number of the hardware, and asked if it had ever been a part of their supply chain at all. Turns out, it had. The GPS device was bought by the dealership, but it was never activated. At last, we had proof that this was a device installed by the dealership. We called Sarah to share the good news. She was very glad to find out that she didn't have a stalker. While we regrettably can't spend this kind of time investigating every tech mystery that an EFF supporter has, we decided to take on this case because there was a lot we could learn. We learned about UART and the hidden consoles that are built in to many hardware devices. And we were reminded that sometimes a low tech approach is better than a high tech one for solving a mystery. Sometimes you can hack your way to solving a problem, and sometimes you can solve it by calling the right people and asking the right questions. Another question lingers: Is the sky-link GPS device still sending location data back to a Sky Link server? If so, could it be accessed by an employee, or someone who activates the device in the future? We were unable to reach Sky Link to get a confirmation either way, but it's a concerning possibility. Given how many people have been surprised to find this specific GPS tracker in their cars (as mentioned above) it's possible that many car dealerships are installing these devices without proper customer notification. Those GPS devices could one day enable misuses or abuses. If you have found a device like this in your car, or if you work for Sky Link or a similar company, we would be interested to hear from you. Related Issues Locational Privacy Tags threat lab Share It Share on Twitter Share on Facebook Copy link Join EFF Lists Join Our Newsletter! Email updates on news, actions, events in your area, and more. Email Address [ ] Postal Code (optional) [ ] Anti-spam question: Enter the three-letter abbreviation for Electronic Frontier Foundation: [ ] Don't fill out this field (required) [ ] [Submit] Thanks, you're awesome! Please check your email for a confirmation link. Oops something is broken right now, please try again later. Related Updates Necessary & Proportionate logo Deeplinks Blog by Karen Gullo | March 25, 2022 Another Tracker Scanning App Highlights the Need for a Better Way to Protect Victims From Digital Stalking First came tracking devices like Tiles and AirTags, marketed as clever, button-sized Bluetooth-enabled gizmos that can find your lost backpack. Then, after bad actors started using the devices to stalk or follow people, came scanning apps to help victims find out whether those same gizmos were tracking them.Such is the... [locational-privacy] Deeplinks Blog by Jennifer Lynch | March 10, 2022 Federal Court in Virginia Holds Geofence Warrant Violates Constitution In the first order of its kind, a federal district court has held that a warrant used to identify all devices in the area of a bank robbery, including the defendant's, "plainly violates the rights enshrined in [the Fourth] Amendment." The court questioned whether similar warrants could ever be... [og-laptop_0] Deeplinks Blog by Malaika Fraley, Eva Galperin | February 25, 2022 EFF Urges FTC to Investigate Stalkerware App Network Subject of TechCrunch Report Private messages, voicemails, internet browsing, passwords and location data--this is the type of private phone data that is being monitored in real time, unbeknownst to hundreds of thousands of people around the world being tracked by consumer-grade spyware.There is a massive network of stalkerware apps that is harvesting the private... A magnifying glass examines a folder marked "secret" Deeplinks Blog by Aaron Mackey | January 11, 2022 Court Orders Authorizing Law Enforcement To Track People's Air Travels In Real Time Must Be Made Public The public should get to see whether a court that authorized the FBI to track someone's air travels in real time for six months also analyzed whether the surveillance implicated the Fourth Amendment, EFF argued in a brief filed this week.In Forbes Media LLC v. United States, the news... Locational Privacy Urban Deeplinks Blog by Jennifer Lynch | December 31, 2021 In 2021, the Police Took a Page Out of the NSA's Playbook: 2021 in Review While dragnet searches were once thought to be just the province of the NSA, they are now easier than ever for domestic law enforcement to conduct as well. This is because of the massive amounts of digital information we share--knowingly or not--with companies and third parties. woman holding phone with stalker message Deeplinks Blog by Eva Galperin | November 25, 2021 Coalition Against Stalkerware Celebrates Two Years of Work to Keep Technology Safe for All In this guest post by the Coalition Against Stalkerware marking its second anniversary, the international alliance takes a look back on its achievements while seeing a lot of challenges ahead.Two years ago, in November 2019, the Coalition Against Stalkerware was founded by 10 organizations. Today, there are more than... [episode_1_banner_-_for_blog_post] Deeplinks Blog by Jason Kelley | November 16, 2021 Podcast Episode: What Police Get When They Get Your Phone If you get pulled over and a police officer asks for your phone, beware. Local police now have sophisticated tools that can download your location and browsing history, texts, contacts, and photos to keep or share forever. Joinus to hear about a better way for police to treat you and... [eff-pr-og] Press Release | November 12, 2021 EFF to Supreme Court: Warrantless 24-Hour Video Surveillance Outside Homes Violates Fourth Amendment Washington, D.C.--The Electronic Frontier Foundation (EFF) today urged the Supreme Court today to review and reverse a lower court decision in United States v. Tuggle finding that police didn't need a warrant to secretly record all activity in front of someone's home 24 hours a day, for a... Two people walking with mobile devices, broadcasting a signal Deeplinks Blog by Bennett Cyphers | November 10, 2021 Data Broker Veraset Gave Bulk Device-Level GPS Data to DC Government In the first weeks of the COVID-19 pandemic, a location data broker called Veraset offered officials in Washington, DC full access to its proprietary database of "highly sensitive" device-level GPS data, collected from cell phones, for the entire DC metro area.The officials accepted the offer, according to public... ICE and CBP agents use ALPR surveillance on a car Deeplinks Blog by Saira Hussain, Adam Schwartz | October 19, 2021 EFF Files New Lawsuit Against California Sheriff for Sharing ALPR Data with ICE and CBP The Marin County Sheriff illegally shares the sensitive location information of millions of drivers with out-of-state and federal agencies, including Immigration and Customs Enforcement (ICE) and Customs and Border Protection (CBP). The Sheriff uses automated license plate readers (ALPRs)--high-speed cameras mounted on street poles or squad cars--to scan license... Join Our Newsletter! Email updates on news, actions, events in your area, and more. Email Address [ ] Postal Code (optional) [ ] Anti-spam question: Enter the three-letter abbreviation for Electronic Frontier Foundation: [ ] Don't fill out this field (required) [ ] [Submit] Thanks, you're awesome! Please check your email for a confirmation link. Oops something is broken right now, please try again later. Share It Share on Twitter Share on Facebook Copy link Related Issues Locational Privacy Related Tags threat lab Back to top EFF Home Follow EFF: * twitter * facebook * instagram * youtube * flicker * rss Contact * General * Legal * Security * Membership * Press About * Calendar * Volunteer * Victories * History * Internships * Jobs * Staff * Diversity & Inclusion Issues * Free Speech * Privacy * Creativity & Innovation * Transparency * International * Security Updates * Blog * Press Releases * Events * Legal Cases * Whitepapers * EFFector Newsletter Press * Press Contact Donate * Join or Renew Membership Online * One-Time Donation Online * Shop * Other Ways to Give * Copyright (CC BY) * Trademark * Privacy Policy * Thanks JavaScript license information *