“Trackmageddon” Vulnerabilities in Location Tracking Services[source: bleepingcomputer]

Two security researchers —Vangelis Stykas and Michael Gruhn— have published a report on a series of vulnerabilities that they named “Trackmageddon” that affect several GPS and location tracking services.

These GPS tracking services are basic databases that collect geolocation data from smart GPS-enabled devices, such as pets trackers, car trackers, kids trackers, and other “[insert_name] tracker” products.

Data is collected on a per-device basis and stored in the database. Product manufacturers utilize these services as drop-in solutions for their smart devices, allowing them to support a GPS tracking feature for their product’s software suite.

Trackmageddon flaws leak user info

The two researchers argue that an attacker could leverage the collection of flaws they discovered to collect geolocation data from the users of those services.

The flaws range from easy-guessable default passwords to exposed folders, and from unsecured API endpoints to insecure direct object reference (IDOR) flaws.

Stykas and Gruhn say an attacker can use the  Trackmageddon vulnerabilities to extract data such as GPS coordinates, phone numbers, device data (IMEI, serial number, etc.), and possibly personal data —depending on the tracking service and device configuration.

100+ tracking services failed to acknowledge and patch flaws

The two have been working for the past few months reaching out to the affected tracking services, but with little success, as only four services have implemented fixes to counteract the data leaks. In many cases, these tracking services did not have any contact information on their sites, making private disclosure almost impossible.

The research team said they faced a moral dilemma when it came to exposing the Trackmageddon flaws. Under general circumstances, they would have allowed companies more time to fix these issues, but they said went public with their research because these services were actively leaking sensitive customer information.

“Our moral dilemma was that users can not remove their location history. Only a vendor can do that,” Gruhn told Bleeping Computer. “We disclosed because we rated the risk posed by attackers extracting live location data (that is an attacker knowing were you currently are every time you use the device) far higher than the risk posed by an attacker knowing where you have been in the past. So users can now protect themselves from the far worse attacks by not using the devices even if this means there location history remains exposed because vendors are not fixing this.”

For more, click here.