"RTLS Systems Vulnerable to MiTM Attacks, Location Manipulation"

Multiple vulnerabilities in ultra-wideband (UWB) real-time locating systems (RTLS) can allow threat actors to conduct man-in-the-middle (MiTM) attacks and manipulate tag geo-location data. RTLS technology is widely used in manufacturing, public transportation, healthcare, and smart city applications. Its primary function is to improve safety by defining geofencing zones with tracking tags, signal reception anchors, and a centralized processing system. Changing the boundaries of hazard zones or people's positions in these environments can have serious consequences for health and safety. Analysts at Nozomi focused on the Sewio Indoor Tracking RTLS UWB Wi-Fi kit and the Avalue Renity Artemis Enterprise kit, two widely used RTLS solutions supporting the safety functionalities. The tracking tags communicate with the anchors through UWB signals, and the anchors transmit and receive data from the central computer via Ethernet or Wi-Fi. If Wi-Fi is selected, both devices communicate using a custom binary network protocol. However, because the data is not encrypted, Wireshark can capture network packets, thus enabling reverse engineering. To capture those packets, the actor must first gain access to the WPA2-PSK-protected Wi-Fi network. Both vendors use a weak default password that may not be changed during installation, making many deployments vulnerable. If a remote attacker is able to compute the position of the anchors to figure out the relative position of the tracking tags, they can send arbitrary values to the central computer by forging sync and positioning packets. This article continues to discuss the vulnerability of RTLS technology to attacks. 

Bleeping Computer reports "RTLS Systems Vulnerable to MiTM Attacks, Location Manipulation"