Security researchers have unearthed multiple vulnerabilities in hundreds of GPS services of which could enable attackers to expose a whole host of sensitive data on millions of online location tracking devices managed by vulnerable GPS services.
The series of vulnerabilities discovered by two security researchers, Vangelis Stykas along with Michael Gruhn, who dubbed the bugs as ‘Trackmageddon‘ in a report, detailing the key security issues they have encountered in many GPS tracking services.
Trackmageddon affects several GPS services of which harvest geolocation data of users by a range of smart GPS-enabled devices, including children trackers, car trackers, pet trackers among others, in an effort to enable their owners to keep track of where they are.
According to the researchers, the vulnerabilities include easy-to-guess passwords (such as 123456), exposed folders, insecure API endpoints, along with insecure direct object reference (IDOR) issues.
By exploiting these flaws, an unauthorized third party or hacker can get access to personally identifiable information collected by all location tracking devices, including GPS coordinates, phone numbers, device type along with type information, IMEI numbers, along with custom assigned names.
What’s more? On some online services, an unauthorized third party can also access photos along with audio recordings uploaded by location tracking devices.
The duo said they have been trying to reach out to potentially affected vendors behind the affected tracking services for warning them of the severity of these vulnerabilities.
According to the researchers, one of the largest global vendors for GPS tracking devices, ThinkRace, may have been the original developer of the flawed location tracking online service software along with seller of licenses to the software.
Although four of the affected ThinkRace domains have right now been fixed, the remaining domains still using the same flawed services continue to be vulnerable. Since many services could still be using old versions of ThinkRace, users are urged to stay up-to-date.
“We tried to give the vendors enough time to fix (also respond for of which matter) while we weighted of which against the current immediate risk of the users,” the researchers wrote in their report.
“We understand of which only a vendor fix can remove user’s location history (along with any some other stored user data for of which matter) by the still affected services yet we (along with I personally because my data is usually also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.”
In many cases, vendors attempted to patch the vulnerabilities, yet the issues ended up re-appearing. Around 79 domains still remain vulnerable, along with researchers said they did not know if these services could be fixed.
“There have been several online services of which stopped being vulnerable to our automated proof of concept code, yet because we never received a notification by a vendor of which they fixed them, of which could be of which the services come back online again as vulnerable,” the duo said.
You can find the entire list of affected domains on the Trackmageddon report.
Stykas along with Gruhn also recommended some suggestions for users to avoid these vulnerabilities, which includes removing as much data by the affected devices as possible, changing the password for the tracking services along with keeping a strong one, or just stopping to use the affected devices until the issues are fixed.