Published on

DownUnderCTF 2023 – Faraday

Authors
  • avatar
    Name
    Lumy
    Twitter

Faraday

We've been trying to follow our target Faraday but we don't know where he is. All we know is that he's somewhere in Victoria and his phone number is +61491578888.

Luckily, we have early access to the GSMA's new location API. Let's see what we can do with this.

The flag is the name of the Victorian town our target is in, in all lowercase with no spaces

Table of Contents

  1. API website
  2. Solution

API website

The challenge gives us this decription with a swagger single endpoint /verify:

This API provides the customer with the ability to verify the location of a device.

Introduction

Customers are able to verify whether the location of certain user device is within the area specified. Currently the only area supported is a circle determined by the provided coordinates (latitude and longitude) and some expected accuracy (radius).

The verification result depends on the network's ability and accuracy to locate the device at the requested area.

The network locates the device within the requested area, the verification result is TRUE. The requested area may not match the area where the network locates the device. In this case, the verification result is FALSE. The requested area partially match the area where the network locates the device, the verification result is PARTIAL. In this case, a match_rate could be included in the response, indicating an estimation of the likelihood of the match in percent. Lastly, the network may not be able to locate the device. In this case, the verification result is UNKNOWN Location Verification could be useful in scenarios such as:

  • Fraud protection to ensure a given user is located in the region, country or location claimed for financial transactions
  • Verify the GPS coordinates reported by the app on a device to ensure the GPS was not faked e.g. for content delivery with regional restrictions
  • Location-based advertising: trigger targeted advertising after verifying the user is in the area of interest
  • Smart Mobility (Vehicle/bikes renting): confirm the location of the device and the location of the vehicle/bike to guarantee they are rented correctly

Relevant terms and definitions

Device : A device refers to any physical entity that can connect to a network and participate in network communication.

Area : It specifies the geographical surface where a device may be physically located.

Verification : Process triggered in the API server to confirm or contradict the expectation assumed by the API client about the device location.

API Functionality

The API exposes a single endpoint/operation:

  • Verify whether the device location is within a requested area, currently circle with center specified by the latitude and longitude, and radius specified by the accuracy. The operation returns a verification result and, optionally, a match rate estimation for the location verification in percent.

Solution

First, we selected the center of Victoria (Bendingo) with the maximum range (based on specs (radiusinteger[2000, 200000])). We get a location hit :

curl -X 'POST' \
  'https://osint-faraday-9e36cbd6acad.2023.ductf.dev/verify' \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
  "device": {
    "phoneNumber": "+61491578888"
  },
  "area": {
    "areaType": "Circle",
    "center": {
      "latitude": -36.745465780495074,
      "longitude": 144.26789033200535
    },
    "radius": 200000
  },
  "maxAge": 120
}'

{
  "lastLocationTime": "Tue Sep  5 11:46:05 2023",
  "verificationResult": "TRUE"
}

Next, we have to determine the minimum value of the radius to still obtain a valid result wich is 196289. The goal being to find the location of the minimum radius value from the API.

By moving to another city with the same parameters, we will then see if we still get the location hit result or not. If we get a hit, we again have to determine the minimum radius value to still get the location hit

Example with the city Shepparton :

{
  "device": {
    "phoneNumber": "+61491578888"
  },
  "area": {
    "areaType": "Circle",
    "center": {
      "latitude": -36.382119013232625,
      "longitude": 145.40197359939046
    },
    "radius": 92577
  },
  "maxAge": 120
}

Finally, with this methodology, we can determine that the Faraday is in Milawa as we reached the minimum radius number possible by the API :

{
  "device": {
    "phoneNumber": "+61491578888"
  },
  "area": {
    "areaType": "Circle",
    "center": {
      "latitude": -36.45507831332641, 
      "longitude": 146.43175093429588
    },
    "radius": 2000
  },
  "maxAge": 120
}'

{
  "lastLocationTime": "Tue Sep  5 12:00:30 2023",
  "verificationResult": "TRUE"
}

FLAG : DUCTF{milawa}