The serial of vulnerabilities discovered past times 2 safety researchers, Vangelis Stykas together with Michael Gruhn, who dubbed the bugs equally 'Trackmageddon' inwards a report, detailing the telephone substitution safety issues they bring encountered inwards many GPS tracking services.
Trackmageddon affects several GPS services that harvest geolocation information of users from a hit of smart GPS-enabled devices, including children trackers, auto trackers, pet trackers amid others, inwards an effort to enable their owners to maintain rail of where they are.
According to the researchers, the vulnerabilities include easy-to-guess passwords (such equally 123456), exposed folders, insecure API endpoints, together with insecure straight object reference (IDOR) issues.
By exploiting these flaws, an unauthorized 3rd political party or hacker tin expire access to personally identifiable information collected past times all place tracking devices, including GPS coordinates, band numbers, device model together with type information, IMEI numbers, together with custom assigned names.
The couplet said they bring been trying to accomplish out to potentially affected vendors behind the affected tracking services for alert them of the severity of these vulnerabilities.
According to the researchers, i of the largest global vendors for GPS tracking devices, ThinkRace, may bring been the master developer of the flawed place tracking online service software together with seller of licenses to the software.
Although 4 of the affected ThinkRace domains bring at i time been fixed, the remaining domains nonetheless using the same flawed services expire on to live on vulnerable. Since many services could nonetheless live on using former versions of ThinkRace, users are urged to remain up-to-date.
"We tried to give the vendors plenty fourth dimension to ready (also reply for that matter) piece nosotros weighted this against the electrical flow immediate direct chances of the users," the researchers wrote inwards their report.
"We empathize that solely a vendor ready tin withdraw user’s place history (and whatever other stored user information for that matter) from the nonetheless affected services but nosotros (and I personally because my information is too on i of those sites) justice the direct chances of these vulnerabilities beingness exploited against alive place tracking devices much higher than the direct chances of historic information beingness exposed."In many cases, vendors attempted to land the vulnerabilities, but the issues ended upwards re-appearing. Around 79 domains nonetheless remain vulnerable, together with researchers said they did non know if these services would live on fixed.
"There bring been several online services that stopped beingness vulnerable to our automated proof of concept code, but because nosotros never received a notification past times a vendor that they fixed them, it could live on that the services come upwards dorsum online i time to a greater extent than equally vulnerable," the couplet said.You tin discovery the entire list of affected domains on the Trackmageddon report.
Stykas together with Gruhn too recommended closed to suggestions for users to avoid these vulnerabilities, which includes removing equally much information from the affected devices equally possible, changing the password for the tracking services together with keeping a strong one, or but stopping to role the affected devices until the issues are fixed.
