Key security problems
Vangelis Stykas and Michael Gruhn, two security researchers who found this out, called the vulnerabilities ‘Trackmageddon’ in their report. There, they detail all the key security problems they’ve found with hundreds of GPS trackers.
The vulnerabilities include jaw droppingly stupid things like having ‘123456’ as a default password, exposing folders, insecure API endpoints and insecure direct object reference (IDOR) cock ups.
A Bad Actor, or hacker, could get access to personally identifiable info that these devices collect including, obviously, GPS coordinates, phone numbers, custom assigned names and more if they were to exploit these flaws.
That sounds pretty bad, but worse is that it’s also possible to access pictures and audio recordings these tracking devices upload. You thought watching what your cat gets up to all day was cute, yeah? How cute is it if a hacker can also watch those videos?
It’s thought that ThinkRace (one of the largest manufacturers of such devices) was behind the initial balls up, then sold their software (avec holes) to everyone else.
A few of the ThinkRace domains have now been fixed, but loads of others still use older versions of the software, which are all still vulnerable to the attack. Users are urged to patch and keep up to date:
“We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users,”the researchers wrote in their report.
“We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.”
Lots of vendors did try to patch, but the issues reappeared. At the time of writing, 79 domains are still insecure. I’m not printing the list of them here, but, let’s say it’s not good.
What can you do if you use one of these devices? Stykas and Gruhn say you should take as much data off the thing as possible, change the device name and password or, most effectively, just stop using the device until it’s fixed.