Hundreds of GPS location services exist vulnerability that leak user info to risks

Two researchers disclosed that hundreds of GPS and location tracking services were exposed to information such as the location of their location tracking devices due to the use of easy-to-guess default passwords (123456) and an open API interface. In addition, GPS and Positioning Tracking services, which may be affected by vulnerabilities such as Insecure Direct Object Reference (IDOR), will allow unauthorized third-party access to the data stored in the service and the researchers collectively refer to these vulnerabilities as “Trackmageddon”.

Information that these safety issues may reveal include: GPS coordinates, phone numbers, device data (IMEI, serial number, MAC address, etc.), custom assigned names, recordings, and images, and other personal data.

These GPS tracking services are basic databases that collect geolocation data from GPS-enabled smart devices such as pet trackers, car trackers, and children’s trackers. These services collect data on a device basis and are stored in a database. Product manufacturers use these services as a companion solution to their smart devices.

Researchers are not sure they found all the vulnerable domains because there may be other sites that expose the data.

In November 2017, the two researchers started to keep trying to contact the affected location tracking service providers, but with little success, only four companies fixed the vulnerabilities. Many location tracking services do not reserve contact information on the site, do not rule out the possibility of being a middleman, so the problem is either more complicated, which increases the difficulty of privately disclosing the vulnerability.

For example, researchers said that when it comes to images and sound recordings, the information is exposed by looking at the open directories on the affected service’s website. Given that this type of data is about sensitive information about users, researchers chose to make public disclosures

The first one to respond and quickly solve the problem is the broker One2Track.

Since then, ThinkRace, one of the largest suppliers of GPS tracking devices / original developer of location tracking online services and software, has finally agreed to fix four domains a few hours before the public announcement.

ThinkRace specializes in the production of safety and fitness-based tracking products ranging from personal GPS trackers, GPS watches, GPS cards, pet trackers, cycling trackers, car trackers to fitness bracelets and more Foundry services are provided by businesses, telcos or governments in 30 countries.

You can find the entire list of affected domains on the Trackmageddon report.

What should I do if my device is affected?

Researchers believe most of these location tracking services are running vulnerable ThinkRace location tracking software versions. The researchers said they have notified the ThinkRace team that the company has also released patches.

Researchers recommend that users change passwords to remove as much data as they can from device and location tracking services. To avoid further disclosure of data, users may also choose to stop using the affected devices.

Reference: thehackernews