The serial of vulnerabilities discovered past times ii safety researchers, Vangelis Stykas as well as Michael Gruhn, who dubbed the bugs equally 'Trackmageddon' inwards a report, detailing the cardinal safety issues they bring encountered inwards many GPS tracking services.
Trackmageddon affects several GPS services that harvest geolocation information of users from a gain of smart GPS-enabled devices, including children trackers, motorcar trackers, pet trackers amid others, inwards an travail to enable their owners to hold rail of where they are.
According to the researchers, the vulnerabilities include easy-to-guess passwords (such equally 123456), exposed folders, insecure API endpoints, as well as insecure straight off object reference (IDOR) issues.
By exploiting these flaws, an unauthorized 3rd political party or hacker tin choke access to personally identifiable information collected past times all place tracking devices, including GPS coordinates, hollo upwards numbers, device model as well as type information, IMEI numbers, as well as custom assigned names.
The brace said they bring been trying to attain out to potentially affected vendors behind the affected tracking services for alert them of the severity of these vulnerabilities.
According to the researchers, i of the largest global vendors for GPS tracking devices, ThinkRace, may bring been the master copy developer of the flawed place tracking online service software as well as seller of licenses to the software.
Although iv of the affected ThinkRace domains bring at nowadays been fixed, the remaining domains even as well as thence using the same flawed services choke along to hold upwards vulnerable. Since many services could even as well as thence hold upwards using former versions of ThinkRace, users are urged to remain up-to-date.
"We tried to give the vendors plenty fourth dimension to cook (also response for that matter) piece nosotros weighted this against the electrical flow immediate adventure of the users," the researchers wrote inwards their report.
"We sympathise that solely a vendor cook tin take away user’s place history (and whatever other stored user information for that matter) from the even as well as thence affected services but nosotros (and I personally because my information is equally good on i of those sites) jurist the adventure of these vulnerabilities beingness exploited against alive place tracking devices much higher than the adventure of historic information beingness exposed."In many cases, vendors attempted to land the vulnerabilities, but the issues ended upwards re-appearing. Around 79 domains even as well as thence remain vulnerable, as well as researchers said they did non know if these services would hold upwards fixed.
"There bring been several online services that stopped beingness vulnerable to our automated proof of concept code, but because nosotros never received a notification past times a vendor that they fixed them, it could hold upwards that the services come upwards dorsum online i time again equally vulnerable," the brace said.You tin discovery the entire list of affected domains on the Trackmageddon report.
Stykas as well as Gruhn equally good recommended about suggestions for users to avoid these vulnerabilities, which includes removing equally much information from the affected devices equally possible, changing the password for the tracking services as well as keeping a strong one, or merely stopping to purpose the affected devices until the issues are fixed.
