I was intrigued by the news today that thousands of valid Uber accounts are apparently being sold on the Darknet. Hacked or stolen stuff being sold by criminals on Darknet forums is not at all surprising but I was curious, who would think using a stolen Uber account is a good idea?
Not exactly private
By it’s very nature, Uber requires you to divulge your location - it’s an IRL (In Real Life) transaction and that’s somewhat at odds with most online fraud which is typically faceless and anonymous. My curiosity got the better of me, as it often does, and I fired up the Uber mobile app on one of our rooted Android test phones - that we use for mobile application security testing - and had a closer look at exactly what information Uber is receiving when you use it.
Under the hood of the Uber Android app
The app itself installs into /data/data/com.ubercab and there’s a few bits and bobs in there that might be interesting if we were reviewing this from a local security point of view but, in this instance, I was more concerned with what it’s sending to Uber so by the power of ProxyDroid and Burp Suite I began reviewing the data communications.
I didn’t have to wait long to prove my point. Virtually the first communication sent by the app is an HTTP POST to https://cn-dc1.uber.com/event/user.
The POST request contains a JSON object called “events” with two interesting sections. It won’t surprise anyone to discover that your location is sent to the Uber API. This is sent as part of the “rider_app” object with the relevant sections shown below.
"rider_id": "06974df4-ffff-3939-4aed-f0305d3d0b34",
"rider_status": "looking",
"pin_location": {
"lng": -2.124343,
"lat": 51.899772
},
"driver_id": null,
"trip_id": null,
"city_name": null
Now, is this really such a big deal? If you’re using a stolen account I would guess one of two things is going to happen if you get rumbled:
- Uber suspend or flag the account and no drivers will pick you up.
- The driver picks you up and somehow discovers the account is compromised and ditches you early. They probably won’t get into a potential arrest situation. I doubt they’d consider it worth it.
I highly doubt that the fact you are literally walking into the crime scene would be a massive problem.
Home free? Maybe not.
So, will you get away with it? Based on the other information also sent in the “rider_app” object, without other precautions I doubt it.
The “device” object contains the following (obviously this has been altered from the real details):
"device": {
"google_play_services_status": null,
"os": "android",
"carrier_mnc": "30",
"region_iso2": "GB",
"google_play_services_version": null,
"os_version": "4.4",
"model": "Nexus 4",
"language": "en",
"carrier_mcc": "234",
"voiceover": false,
"carrier": "EE",
"serial_number": "00794282c794a134",
"id": "35391807189235",
"imei_number": "35391807189235"
},
That’s right, the model of your phone but, more crucially, the serial number of your phone, your carrier and IMEI number is sent along with the request. Unless you have also taken the precaution of using a “burner phone” (a prepaid phone with no ties to you that can literally be burned if required) then it won’t take much for Uber and the plod to identify those users who have been riding on someone’s else funds.
In addition, the app periodically sends a “ping” to Uber which contains the device location but also includes the mobile number. I didn’t dig into whether or not this is populated automatically by the app from the phone data or whether it just goes off the account details but it really doesn’t make much difference, the Old Bill can theoretically request this information from Uber and match it with records from the phone company to find out who you are.
Busted
So, in conclusion my assumptions have proven to be correct. Unless you have covered off a number of other key operational security requirements to truly detach your device from your real identity, connecting you with your use of a stolen Uber account appears to be a stroll in the park.