Security researchers have unearthed multiple vulnerabilities in hundreds of GPS services that could enable attackers to expose a whole host of sensitive data on millions of online location tracking devices managed by vulnerable GPS services.
The series of vulnerabilities discovered by two security researchers, Vangelis Stykas and Michael Gruhn, who dubbed the bugs as ‘Trackmageddon’ in a report, detailing the key security issues they have encountered in many GPS tracking services.
Trackmageddon affects several GPS services that harvest geolocation data of users from a range of smart GPS-enabled devices, including children trackers, car trackers, pet trackers among others, in an effort to enable their owners to keep track of where they are.
According to the researchers, the vulnerabilities include easy-to-guess passwords (such as 123456), exposed folders, insecure API endpoints, and insecure direct object reference (IDOR) issues.
By exploiting these flaws, an unauthorized third party or hacker can get access to personally identifiable information collected by all location tracking devices, including GPS coordinates, phone numbers, device model and type information, IMEI numbers, and custom assigned names.
What’s more? On some online services, an unauthorized third party can also access photos and audio recordings uploaded by location tracking devices.
The duo said they have been trying to reach out to potentially affected vendors behind the affected tracking services for warning them of the severity of these vulnerabilities.
According to the researchers, one of the largest global vendors for GPS tracking devices, ThinkRace, may have been the original developer of the flawed location tracking online service software and seller of licenses to the software.
Although four of the affected ThinkRace domains have now been fixed, the remaining domains still using the same flawed services continue to be vulnerable. Since many services could still be using old versions of ThinkRace, users are urged to stay up-to-date.
“We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users,” the researchers wrote in their report.
“We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.”
In many cases, vendors attempted to patch the vulnerabilities, but the issues ended up re-appearing. Around 79 domains still remain vulnerable, and researchers said they did not know if these services would be fixed.
“There have been several online services that stopped being vulnerable to our automated proof of concept code, but because we never received a notification by a vendor that they fixed them, it could be that the services come back online again as vulnerable,” the duo said.
You can find the entire list of affected domains on the Trackmageddon report.
Stykas and Gruhn also recommended some suggestions for users to avoid these vulnerabilities, which includes removing as much data from the affected devices as possible, changing the password for the tracking services and keeping a strong one, or just stopping to use the affected devices until the issues are fixed.