Wednesday, January 10, 2018

"Trackmageddon" Vulnerabilities Discovered in (GPS) Location Tracking Services














Two security researchers —Vangelis Stykas and Michael Gruhn— have published a report on a series of vulnerabilities that they named "Trackmageddon" that affect several GPS and location tracking services.
These GPS tracking services are basic databases that collect geolocation data from smart GPS-enabled devices, such as pets trackers, car trackers, kids trackers, and other "[insert_name] tracker" products.
Data is collected on a per-device basis and stored in the database. Product manufacturers utilize these services as drop-in solutions for their smart devices, allowing them to support a GPS tracking feature for their product's software suite.


Trackmageddon flaws leak user info
The two researchers argue that an attacker could leverage the collection of flaws they discovered to collect geolocation data from the users of those services.
The flaws range from easy-guessable default passwords to exposed folders, and from unsecured API endpoints to insecure direct object reference (IDOR) flaws.
Stykas and Gruhn say an attacker can use the  Trackmageddon vulnerabilities to extract data such as GPS coordinates, phone numbers, device data (IMEI, serial number, etc.), and possibly personal data —depending on the tracking service and device configuration.


100+ tracking services failed to acknowledge and patch flaws

The two have been working for the past few months reaching out to the affected tracking services, but with little success, as only four services have implemented fixes to counteract the data leaks. In many cases, these tracking services did not have any contact information on their sites, making private disclosure almost impossible.
The research team said they faced a moral dilemma when it came to exposing the Trackmageddon flaws. Under general circumstances, they would have allowed companies more time to fix these issues, but they said went public with their research because these services were actively leaking sensitive customer information.
"Our moral dilemma was that users can not remove their location history. Only a vendor can do that," Gruhn told Bleeping Computer. "We disclosed because we rated the risk posed by attackers extracting live location data (that is an attacker knowing were you currently are every time you use the device) far higher than the risk posed by an attacker knowing where you have been in the past. So users can now protect themselves from the far worse attacks by not using the devices even if this means there location history remains exposed because vendors are not fixing this."

Check to see what's vulnerable and what's not

Researchers have released a list of services who fixed or may have fixed the flaws, a list of services still leaking data, and a list of affected devices [Trackmageddon homepage, a security advisory for concerning gpsui.net and vmui.net, and another security advisory concerning the other services].
Proof of concept code for exploiting the flaws has been redacted from the advisories to prevent any attempts of cyber-stalking.
Researchers also believe that most of the leaky tracking services are running a vulnerable version of the ThinkRace tracking location software, which many have adopted and incorporated. Stykas and Gruhn said they told the ThinkRace team of the issues they found, and the software vendor issued fixes.

4 comments:

  1. Thanks for a wonderful share. Your article has proved your hard work and experience you have got in this field. Brilliant .i love it reading. app para controlar el movil de mi hijo

    ReplyDelete
  2. Find hidden apps. Note 5 apps. If you suspect your partner is using an app they shouldn't be, and they've hidden it. You can find hidden cheating apps for android.

    ReplyDelete
  3. Do you need to increase your credit score?
    Do you intend to upgrade your school grade?
    Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
    Do you need any information concerning any database.
    Do you need to retrieve deleted files?
    Do you need to clear your criminal records or DMV?
    Do you want to remove any site or link from any blog?
    you should contact this hacker, he is reliable and good at the hack jobs..
    contact : cybergoldenhacker at gmail dot com

    ReplyDelete
  4. Special thanks to (hackingsetting50@gmail.com) for exposing my cheating husband. Right with me i got a lot of evidences and proofs that shows that my husband is a fuck boy and as well a cheater ranging from his text messages, call logs, whats-app messages, deleted messages and many more, All thanks to

    (hackingsetting50@gmail.com), if not for him i will never know what has been going on for a long time.

    Contact him now and thank me later.

    ReplyDelete

Are you looking for most trusted hosting website?

What is Web Hosting? Web hosting is a service that allows organizations and individuals to post a website or web page onto the Internet. A...