ITAG - it tracks your keys and let others track you

This device sells for about $2 to $4 on AliExpress and is basically for tracking your keys, phone and comes with a special feature which is a button that when pressed, takes a selfie or record audio using your phone.

It arrived like this:

The seller announces that the product use BLE (Bluetooth Low Energy) so I decided to scan it using bettercap.

Device name is ITAG and the vendor is attributed to Shen Zhen Shi Xin Zhong Xin Technology Co.,Ltd..

Lets enumerate the characteristics:

We have some writable characteristics but we need to understand what they do. In this step we could reverse engineer the mobile application or sniff the communication between the mobile phone and the ITAG.

One thing comes immediately is that you can change the Device Name (0x002) but that's irrelevant.

Before going to the Android application or sniffing the communication, one of the things that I had the previous experience is that these cheap trackers usually allow to you play with the service Immediate Alert which allows to beep the tracker.

In this case, if we send the value 0x002 (high alert) to handle 0025 it should beep the tracker.

Here is the snippet of python code that I used:

import sys
import pygatt

itag = sys.argv[1]
adapter = pygatt.GATTToolBackend()

    device = adapter.connect(itag)
    value = device.char_write_handle(0x0025, bytearray([0x02]), wait_for_response=False)

Regarding privacy - ITAG shows the real Bluetooth Address and not a random one, so it's possible to track users using this method.

And what about the Android app? Seems popular - +100.000 downloads. If you combine that with the number of ITAGs...

Look at the list of permissions:

<uses-permission android:name="android.permission.BLUETOOTH" />
<uses-permission android:name="android.permission.BLUETOOTH_ADMIN" />
<uses-permission android:name="android.permission.CAMERA" />
<uses-permission android:name="android.permission.FLASHLIGHT" />
<uses-permission android:name="android.permission.MOUNT_UNMOUNT_FILESYSTEMS" />
<uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE" />
<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="android.permission.ACCESS_WIFI_STATE" />
<uses-permission android:name="android.permission.CHANGE_WIFI_STATE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.BAIDU_LOCATION_SERVICE" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_MOCK_LOCATION" />
<uses-permission android:name="" />
<uses-permission android:name="android.permission.WAKE_LOCK" />
<uses-permission android:name="android.permission.ACCESS_GPS" />
<uses-permission android:name="android.permission.GET_TASKS" />
<uses-permission android:name="android.permission.RECORD_AUDIO" />
<uses-permission android:name="android.permission.BROADCAST_STICKY" />
<uses-permission android:name="android.permission.WRITE_SETTINGS" />
<uses-permission android:name="android.permission.MODIFY_AUDIO_SETTINGS" />
<uses-permission android:name="android.permission.READ_LOGS" />
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW" />

BUT besides having a lot "inconvenient permissions" and trash components (like umeng shady analytics), it only requests maps from Google and Baidu - this last one with some requests on unprotected HTTP.

By sniffing I didn't found any information besides the beep functionality:

In the end I was expecting a little more information sent to remote servers or even to trigger other device operations but I was wrong. It allows users tracking and pranksters could beep the ITAG all day - maybe until battery running out (which could take a while).

As reference for future devices, I open ITAG and took a picture of its components:

  1. Antenna
  2. Buzzer
  3. Push Button

Also it takes a CR2032 lithium battery.

I just identified the pins for UART - RX, TX, GND and VCC but for the sake of this research it didn't make sense to debug it.

The good thing on these trackers is that you can open and close the device without having to break anything or even use glue - like the expensive Tile.

Sponsored by: Char49

Show Comments