Hundreds Of Gps Place Tracking Services Leaving User Information Opened Upwards To Hackers

Security researchers accept unearthed multiple vulnerabilities inwards hundreds of GPS services that could enable attackers to expose a whole host of sensitive information on millions of online place tracking devices managed past times vulnerable GPS services.

The serial of vulnerabilities discovered past times 2 safety researchers, Vangelis Stykas too Michael Gruhn, who dubbed the bugs every bit 'Trackmageddon' inwards a report, detailing the fundamental safety issues they accept encountered inwards many GPS tracking services.

Trackmageddon affects several GPS services that harvest geolocation information of users from a make of smart GPS-enabled devices, including children trackers, motorcar trackers, pet trackers alongside others, inwards an travail to enable their owners to maintain rail of where they are.

According to the researchers, the vulnerabilities include easy-to-guess passwords (such every bit 123456), exposed folders, insecure API endpoints, too insecure straight object reference (IDOR) issues.

By exploiting these flaws, an unauthorized 3rd political party or hacker tin become access to personally identifiable information collected past times all place tracking devices, including GPS coordinates, hollo upwards numbers, device model too type information, IMEI numbers, too custom assigned names.

What's more? On around online services, an unauthorized 3rd political party tin besides access photos too well recordings uploaded past times place tracking devices.

The twosome said they accept been trying to attain out to potentially affected vendors behind the affected tracking services for alert them of the severity of these vulnerabilities.

According to the researchers, i of the largest global vendors for GPS tracking devices, ThinkRace, may accept been the master copy developer of the flawed place tracking online service software too seller of licenses to the software.

Although iv of the affected ThinkRace domains accept straightaway been fixed, the remaining domains nevertheless using the same flawed services proceed to live on vulnerable. Since many services could nevertheless live on using former versions of ThinkRace, users are urged to remain up-to-date.

"We tried to give the vendors plenty fourth dimension to ready (also response for that matter) acre nosotros weighted this against the electrical current immediate adventure of the users," the researchers wrote inwards their report. 

"We empathize that solely a vendor ready tin withdraw user’s place history (and whatever other stored user information for that matter) from the nevertheless affected services but nosotros (and I personally because my information is besides on i of those sites) justice the adventure of these vulnerabilities beingness exploited against alive place tracking devices much higher than the adventure of historic information beingness exposed."

In many cases, vendors attempted to acre the vulnerabilities, but the issues ended upwards re-appearing. Around 79 domains nevertheless remain vulnerable, too researchers said they did non know if these services would live on fixed.

"There accept been several online services that stopped beingness vulnerable to our automated proof of concept code, but because nosotros never received a notification past times a vendor that they fixed them, it could live on that the services come upwards dorsum online over again every bit vulnerable," the twosome said.

You tin uncovering the entire list of affected domains on the Trackmageddon report.

Stykas too Gruhn besides recommended around suggestions for users to avoid these vulnerabilities, which includes removing every bit much information from the affected devices every bit possible, changing the password for the tracking services too keeping a strong one, or but stopping to role the affected devices until the issues are fixed.

Share This :