A slew of online services used to manage GPS- and GSM-based location tracking devices have been found vulnerable to flaws that could allow attackers to hijack these devices and reveal their owners' past and current locations.
In an online post on Tuesday, security researchers Vangelis Stykas and Michael Gruhn detailed the vulnerabilities, collectively named Trackmageddon, in 103 online services that in totality manage millions of devices. By and large, these various services are reportedly using vulnerable tracking location software developed and licensed by ThinkRace, an Indian GPS tracker manufacturer, which also operates five of the affected services.
As of Jan. 2, four of the impacted websites have been confirmed fixed – https://www.one2trackgps.com (aka One2Track), https://kiddo-track.com, https://www.amber360.com, and https://tr.3g-elec.com (in this case, the subdomain was removed). Another 15 no longer appear vulnerable to the researchers' proof-of-concept exploit code, although it cannot be conclusively affirmed that they have been permanently patched.
The report states that ThinkRace also agreed to repair their own five affected websites by Jan. 2; however, the researchers claim the fixes so far are “incomplete.” SC Media has reached out to ThinkRace for comment and will update the story upon receiving a response.
Stykas and Gruhn's work updates and expands upon previous research conducted by fellow security researcher Lachlan Temple, aka @skoooch, who found similar or possibly identical issues back in 2015. According to the latest report as well as two accompanying technical advisories, the vulnerabilities, discovered in November, can be divided into two subsets.
One subset is a series of authorization bypasses in gpsui.net, a website that facilitates the master server for at least 615,000 GSM and GPS location tracking devices. When exploited, this flaw enables attackers to escalate their privileges until they can force disclosure of all location tracking information, as well as send commands to and take control of all connected devices.
The other subset of vulnerabilities consists of various information disclosures as well as exposed APIs in multiple websites that act as the web control panel server for roughly 6.3 million devices, comprised of an estimated 367 different product models. The report states that these coding errors can allow unauthenticated actors to “take full control of the exposed API features to control and manage the registered GPS tracking devices,” as well as “extract the locations as well as associated phone numbers (if set) and device model type[s] from the user database via the exposed API on each affected website.”
In some cases, attackers may also be able to access images and audio recordings uploaded by devices, as well as on-board diagnostics features on devices used by vehicles.
Stykas and Gruhn say they tried to give notified vendors sufficient time to fix the vulnerabilities before public disclosure, but also felt the need to come forward so that device owners could start to protect themselves, especially against the threat of having their live locations identified by malicious actors.
The researchers recommend that consumers stop using any location-tracking device that relies on an unpatched service, and remove as much data as possible from these vulnerable websites. Users are also advised to change their passwords for their device's online service, even if the site has been adequately patched.
Mark James, security specialist at ESET, told SC Media UK that data such as GPS location could enable bad actors to tailor an attack, both digital or physical, with optimum effectiveness. “With this type of information, it shows a very clear footprint of your every move – something that, if exploited, could be the difference between a failed or successful attack,” he said.
“An attacker with access to the data could use this information to determine your whereabouts and tailor a specific attack either with you, or without you present, depending on the attack vector.”
In emailed comments, Lamar Bailey, director of security research and development at Tripwire, said that this report demonstrates how many small IoT device manufacturers and services providers “are very small and do not have adequate security practices, training, or staff to setup secure product and services, or they are more interested in getting products to market instead of spending the time and money to make sure the products are secure. Think of them like a new bank that just popped up and they are giving 10 percent interest on savings accounts to gain customers, but the bank branches are built like tents with no vault or security guards.”
Moreover, added Bailey, many of these companies have no establish means for researchers to easily report security concerns or disclose vulnerabilities.