Trackmadeddon attack puts millions of vulnerable GPS trackers at risk of data exposure.
According to a research conducted by two security experts by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368), a majority of location tracking devices are flawed and vulnerable to exploitation. There are versatile devices such as child or pet trackers, fitness monitoring gadgets and automobile trackers that work using GPS and GSM tracking capabilities. Services that offer photo and audio recording facility are also on the list of.
As per their findings, these devices are managed by different online services that offer location tracking devices. However, these devices cannot be trusted because exposure of sensitive information is a possibility.
Reportedly, hundreds of GPS services are vulnerable, most of which use open APIs and weak passwords, such as 123456. This ignorance has led to a wide range of privacy issues, for instance, direct tracking, while logged data is exposed due to open directories of these services. More than 100 vulnerable services were identified by the security experts while it was identified that the devices could be attacked by cybercriminals to access personal data.
Attackers need to exploit the default credentials of a device or weakly protected insecure direct object reference (IDOR) flaws in order to access personal information. These features are responsible for allowing access to other accounts of the user by changing the URL parameter value.
The security flaws have been dubbed as Trackmadeddon. The information exposed by the devices includes location history and current location, phone number, model, type and IMEI number of the device and audio recordings and images. Moreover, it is also possible to activate or deactivate certain features of a device (for e.g., geofence alerts) by sending out commands. Attackers can also expose information via log files, directory listings, publicly exposed API endpoints, source code and WSDL files. The software was probably provided by the Chinese firm ThinkRace.
Researchers noted that most of the devices were identified between November and December while 9 out of the 100 impacted domains have patched the flaws or fixes are underway and more than 12 websites have fixed the issues without informing them. Unfortunately, the rest of the tracking devices are still vulnerable.
Vulnerabilities in online services of (GPS) location tracking devices allow unauthorized access to location data.
Unfortunately, we were unable to contact all vendors for fixes.
Still affected users should stop using the services.
— mich (@0x6d696368) January 2, 2018
It is worth noting that the same company is found to be operating some of the impacted domains; 36 unique IPs have been discovered by researchers that are hosting these domains. Also, it was observed that 41 databases are being shared via the IPs. According to the research, 79 domains are still vulnerable, which means more than 6.3 million devices and 360 device models are vulnerable to data exposure. In many cases, it was noted that ThinkRace has no control over the servers that hosted the tracking device.
Experts have stated that they are not 100% sure if they have identified all the vulnerable domains. Gruhn said while speaking with Salted Hash: “We have 79 domains (including sub-domains) listed as still vulnerable. But we cannot eliminate the possibility that there are other sub-domains under a vulnerable domain. Neither can we rule out that there are more websites that exhibit the same vulnerabilities.”
This is why they have urged that whoever is using online tracking services must change the password and delete sensitive information stored in the account. It is also recommended that people stop using these devices until patches are released.
List of fixed and unfixed devices is available here.