My boss got 2 gsm devices for gps, device 2 is simple, it gets a call and it sends out a sms with the geolocation (google earth formatted). However, it is lacking some other features, so my boss asked me to work with device one: VAE-307, from Vision. So far, it looks quite easy: a) use a phone to write 7 contacts to a GSM sim card, each contact has a to be the user/id, and the phone number to call if there's an event. No mistery there. Field #4 is slightly different, it is just the password for the commands, and 'name' field is to remain blank. Once you have the 7 contacts, you put the sim card in the gps and you power it on. With a phone as gateway, I will develop a software to page the gps and generate a report with the answers.
To request an action, you just type and send a sms like this: "# password # 000X", where password is the 4 digits password on position 4, and the X is a number from 1 to 8. So far, the command we are testing is 0008, which will get the geolocation via sms.
Here comes the problem. I use my pc to connect via Bluetooth to a regular phone, and I issue the AT commands like this:
AT+CMGF=1 [ENTER]
OK
AT+CMGS="NUMBER" [ENTER]
> #PASS# 0008 [CTRL + Z]
+CMGS: 71
OK
As you may know, format is text per the first line, 'number' belongs to the destination, 71 is the confirmation number. I verified that the message gets sent/received. My concern goes to the line '#PASS# 0008. I can tell the message has been sent. I know it is received. I am not sure if every single one gets read at the gps. Yet, I am not receiving reply. Not a single one.
This is what I have done so far: the excuse for a manual provided with the device says (and I am quoting):
Name: N/A
Number: # password #
The password is 4 digit Arabic numerals code, giving access to use SMS to control some system function in vehicle.
So, I wasn't sure if '#' or the blank space were suppose to be included with the password or not. The example DOES include the '#' with this format: '#5566#', but the blank space is not present. Later on, a list of examples is provided, the one I'm after looks like this:
# Password # 0008
So, again, I'm not sure if '#' is part of the password declaration, or if it is to stress the fact the field is numeric or if it has to be there when sending the message. Nevertheless, the first approach I had (password = '#5566#', command = '#5566# 0008') did not work, I got no reply. So I tried different combinations:
#5566#0008
# 5566 # 0008
#5566 #0008
5566 0008
1 5566 1 0008 (assuming '#' meant I needed the number for the contact on memory)
And I also tried the sim card with '#5566#' and '5566'. Please notice that the format on the manual adds a blank space between '#' and 'password', but that is not possible when writting a number on the sim card, the phone won't let you, and trying to write it with the AT command will not do it, either. At this point, I thought it could be the format, so I tried sending it with PDU instead of text, and the gps converted it to the text format, so I said exactly the same as the original message. Message Format discarded as the root for the problem.
So I went out to find help on the manufacturer's web, no surprise there: http://www.visionsecurity.com.tw/ has no software download or updated manual listed, furter web research gave me http://www.visionsecurity.com.tw/upload/file/23_file_1_cht.pdf (not shown in the website) which is the manual... in Chinesse. With the aid of Google Translator, I managed to find out that both of the versions contain pritty much the same lack of information. And I found no other human with the same problem.
Final details: the device has some wires to check the car alarm and doors status, if you give ground voltage to some of them, sms will be send with the proper location. If the alarm switch gets pressed, sms will be received, and a phone call will be stablished, so I know the gsm service is working there, and if you check the sim card, you can find the sms with the password, so the device is receiving them.
The question is: does anyone know the correct way to program this VAE-307 Quad-Band GSM & GPS Pager Kit device to have it sending a SMS reply with its geolocation whenever I send a request for it?
Thank you all in advance.
Related
I have submitted the following template for approval many times through woztell and got rejected. Apparently, the reason stated by Whatsapp - "Invalid_Format"
I need to know exactly what are the invalid formats and mistakes that i have done, and how can i rectify these mistakes.
<Header:>
*Thank you for filling up the Growth and Development form.*
<Body:>
*Your responses indicate that your child may require pediatric intervention. Please ensure that you show this message to Doctor {{6}} as soon as possible, and get the right advice for your child.*
*Growth and Development Red Flags for Patient {{7}}*
1. {{1}}
2. {{2}}
3. {{3}}
4. {{4}}
5. {{5}}
<Footer:>
*Important Message for the Doctor:* The form responses by the patient indicate {{8}} Red flags. Only a maximum of 5 are displayed in this message. The patient has received an email with the list of red flags, kindly ask the patient to share the email with you.
Please specify the mistakes that i have done and also suggest me some corrections.
There are lots of issues in your template, you have to read about the message template restrictions and reasons for rejection, The below are problems in your template that I know,
It can't allow using * in the header and footer part
It can't allow any variable in the footer, and you have added {{8}}
Maximum length of text in the footer is 60 characters
Too many parameters in the body as per the static content, try to reduce variables..
I am building a device with GSM Modem and a SIM card. I would like to protect the SIM card with a pin to prevent its misuse when the devices are installed on field.
Storing the pin for associated SIM into each device would be cumbersome. Also, if SIM is replaced, I want the device to automatically know the PIN for the new SIM. So I was thinking of using a one way hash function to generate the pin from one or more properties of the SIM like its IMSI, ICCID, SIM Card Group Identifier, Service Provider Name etc.
When a SIM is inserted, the device can dynamically calculate the correct PIN based on these properties.
(I know that security based on secret algorithm violates the basic principles of computer security, but in this case I don't need it to be fool proof - I just need something better than leaving it unprotected.)
The problem is that none of these properties can be read before entering the PIN.
Is there any other property that can be read without entering the PIN? Or do you have any work around that does not require storing of PIN on the device in advance?
Yes, it should be possible to generate the PIN using the SIM properties itself (assuming you have relation with the card vendor and the operator).
PIN = some_function(sim_properties)
Regarding each properties that you mentioned:
ICCID - yes, this unique per card. No read restriction and cannot be updated. First choice to use.
IMSI - unique per card but cannot be used. You need to provide PIN to read this file.
SPN - yes, can be used as well, but is not unique per card. If you want to use this file, ensure that it will not be updated by operator via OTA (Over The Air) RFM (Remote File Management).
GID - this file is optional, better not to use it.
For the function itself, I propose using cryptographic hash instead only hash, to give more security.
Additionally, you may also ask the card vendor to add additional proprietary file (EF), which you can put additional data inside (additional keys, bitmasks, key index of master keys to be used, etc).
At the final step, do not forget to convert the cryptographic hash result into numeric format 4-8 digits.
Actually i build the travel app which helps to track the user location but if there is no internet how can i store the location ?is there any trick to findout the location with GSM ?
Yes It is very much possible but gets useless to you.
You can get the approximate (lati & longi) position(if operator allows, I dont think they do) but what would you do because It wouldn't be possible to communicate back to traveler/user. At most you can do is send user SMS.
Mobile network is consisting of up of a number of adjacent radio cells, each of which is characterized by an identifier made up of four data items:
Cell ID
LAC, or Local Area Code
MCC, an acronym for Mobile Country Code
MNC, or Mobile Network Code, which obviously identifies the phone company itself
For this reason, once a cell name and coordinates(latitude and longitude) are known, and considering the maximum distance allowed between this cell and a phone before the phone connects to a new cell, it is possible to find out, approximately, the most distant position of the phone itself.
Its not possible to use GSM.GSM service providers can get the location details but they don't share those data to public.
I viewed here:
https://developers.google.com/google-apps/contacts/v3/?csw=1
there are reference to PhoneNumber in the response, is this actually possible, I went to their playground but could not find any phone number in the response of contacts, before moving on to a live implementation I would like to be sure phone numbers are retrievable.
As to Microsoft, I couldn't find any reference to phone number retrieval from oAuth, anybody knows if this is possible?
I'm able to see phone numbers when I run a query against Google's implementation.
I did notice that the initial results (first 25 only) didn't appear to have any, but once I dumped all my contacts (https://www.google.com/m8/feeds/contacts/default/full?max-results=99999) I was able to see the results that I'd expected.
https://developers.google.com/gdata/docs/1.0/elements#gdPhoneNumber
As per the title really, just what can be done to defeat key/keystroke logging when authenticating access?
I have just posted a related question (how-to-store-and-verify-digits-chosen-at-random-from-a-pin-password) asking for advice for choosing random digits from a PIN/password. What other reasonably unobtrusive methods might there be?
Any and all solutions appreciated.
One solution to defeat keyloggers is to not care if they capture what you type.
One time passwords (search: "OTP") are one solution. Smartcard authentication is another.
A hardware-based keylogger will not be fooled by any solution that requires the use of a keyboard. So, to bypass those you will need to have input through the mouse only. But software-based keyloggers can be stopped by adding a keyboard hook in your own code which captures the keys and which does not call the next hook procedure in the hook list. But keyboard hooks tend to trigger antivirus software if used incorrectly and will cause bugs if you use them in any dynamic library with the wrong parameter.And basically, a keylogger will use a keyhook to capture keystrokes. By adding your own keyhook on top of the malware keyhook, you'll disable the keylogger.However, there are keyloggers that hide deeper in the kernel so you'd soon end up with a keylogger that will bypass your security again.Don't focus too much on the danger of keyloggers, though. It's just one of the many methods that hackers use to get all kinds of account information. Worse, there's no way that you can protect your users from social engineering tricks. Basically, the easiest way for hackers to get account information is by just asking their victims for this information. Through fake sites, false applications and all kinds of other tricks they could just collect any information that you're trying to protect by blocking keyloggers. But keyloggers just aren't the biggest dangers.
One suggestion was to use pictures of cute kittens (or puppies) for the user to click on. What you could do is use a set of 10 pictures and let the user pick four of them as their "pincode". Then, whenever the user needs to enter their code, display the pictures in any random order so hackers have no use for it's location. If it's a web application, also give the pictures a random name, and just let the server know which is which. To make it even more complex, you could create 10 sets of 10 pictures, where every picture displays a single object but from a slightly different perspective, different angle or in a different color. Set 1 would be a chair, set 2 a table, set 3 a kitten, set four a puppy, etc. The user then just needs to remember: Table, kitten, chair, puppy. (Or puppy, chair, chair, table. Or kitten, puppy, puppy, puppy...)
You could have a clickable image with the letters on it. Your users will be pretty mad though...
You can allow to use only on-screen keyboard to enter password.
Or you can write module (on flash for example) for handwriting (via mouse or stillus) passwords recognition.
The only real way is a proper second factor authentication: Either something the person is: fingerprint, iris scan. Or something they have: one-time password list/generator; crypto-generator.
Assuming that only keyboard, and not mouse input is captured, you could type the password out of order moving the cursor with the mouse.
I really like the one time approach better, though.
How about a variation of standard password. For example you could have a list of words and have program leave out random letters from each word. In addition to that it would leave out one word from the list which user would have to remember and type it out.
If the words form a sentence, it would be easier or users to remember it but on the other hand creation of the sentence would be more difficult because you'd need to use words which can't be guessed from sentence's context.
Another variation of this could be to have program at random ask user to replace all letters i with 1 or a with 4 or to place say letter R after every third letter A or something similar.
Basically have a password which would be modified at random and have it instructions displayed to user how to modify the password.
Now that I think of it, I'm not sure how unobtrusive my ideas are...
The online banking portal of my bank has a nice way that I find very unobtrusive. When creating the account, you define a 6 digit PIN (additional to a normal password). After entering your password, you're asked for 2 digits of the 6 digit PIN at 2 random positions. For example, if your PIN is 654321, it'll ask your for digits 2 and 5 and you'll click on 5 and 2 (it has a numpad with digits to click on). Even if you'd enter the digits with your keyboard, it would still be kind of safe because the attacker won't know which digits you've been asked for (unless he captures the screen as well, maybe using tempest).
So, short answer: Ask only for some parts of the password/PIN, in random order. Having the user use the mouse increases security.
One more idea: If you have a PIN (numerical password), ask the user for modifications of certain digits, e.g. "2nd digit plus 3, 4th digit minus 1".