• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • March 8th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Security

Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk

January 3rd, 2018 Waqas Security 0 comments
Security Flaws in GPS Trackers Puts Millions of Devices’ Data at Risk
Share on FacebookShare on Twitter

Trackmadeddon attack puts millions of vulnerable GPS trackers at risk of data exposure.

According to a research conducted by two security experts by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368), a majority of location tracking devices are flawed and vulnerable to exploitation.  There are versatile devices such as child or pet trackers, fitness monitoring gadgets and automobile trackers that work using GPS and GSM tracking capabilities. Services that offer photo and audio recording facility are also on the list of.

Threat

As per their findings, these devices are managed by different online services that offer location tracking devices. However, these devices cannot be trusted because exposure of sensitive information is a possibility.

Reportedly, hundreds of GPS services are vulnerable, most of which use open APIs and weak passwords, such as 123456. This ignorance has led to a wide range of privacy issues, for instance, direct tracking, while logged data is exposed due to open directories of these services. More than 100 vulnerable services were identified by the security experts while it was identified that the devices could be attacked by cybercriminals to access personal data.

Attackers need to exploit the default credentials of a device or weakly protected insecure direct object reference (IDOR) flaws in order to access personal information. These features are responsible for allowing access to other accounts of the user by changing the URL parameter value.

Trackmadeddon

The security flaws have been dubbed as Trackmadeddon. The information exposed by the devices includes location history and current location, phone number, model, type and IMEI number of the device and audio recordings and images. Moreover, it is also possible to activate or deactivate certain features of a device (for e.g., geofence alerts) by sending out commands. Attackers can also expose information via log files, directory listings, publicly exposed API endpoints, source code and WSDL files. The software was probably provided by the Chinese firm ThinkRace.

Researchers noted that most of the devices were identified between November and December while 9 out of the 100 impacted domains have patched the flaws or fixes are underway and more than 12 websites have fixed the issues without informing them. Unfortunately, the rest of the tracking devices are still vulnerable.

Trackmageddon: https://t.co/r5T9EljM53

Vulnerabilities in online services of (GPS) location tracking devices allow unauthorized access to location data.

Unfortunately, we were unable to contact all vendors for fixes.
Still affected users should stop using the services.

— mich (@0x6d696368) January 2, 2018

Impact

It is worth noting that the same company is found to be operating some of the impacted domains; 36 unique IPs have been discovered by researchers that are hosting these domains. Also, it was observed that 41 databases are being shared via the IPs. According to the research, 79 domains are still vulnerable, which means more than 6.3 million devices and 360 device models are vulnerable to data exposure. In many cases, it was noted that ThinkRace has no control over the servers that hosted the tracking device.

Experts have stated that they are not 100% sure if they have identified all the vulnerable domains. Gruhn said while speaking with Salted Hash: “We have 79 domains (including sub-domains) listed as still vulnerable. But we cannot eliminate the possibility that there are other sub-domains under a vulnerable domain. Neither can we rule out that there are more websites that exhibit the same vulnerabilities.”

This is why they have urged that whoever is using online tracking services must change the password and delete sensitive information stored in the account. It is also recommended that people stop using these devices until patches are released.

List of fixed and unfixed devices is available here.

  • Tags
  • GPS
  • internet
  • Privacy
  • security
  • Surveillance
  • Technology
  • Vulnerability
Facebook Twitter LinkedIn Pinterest
Previous article Multiple Intel Processors Generations Hit by Serious Security Flaw
Next article New Android Malware Disguised as Uber App
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

Threat actors hijacking Bitbucket and Docker Hub for Monero mining

IT Security firm Qualys extorted by Clop gang after data breach

IT Security firm Qualys extorted by Clop gang after data breach

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
John McAfee Charged with Fraud in Cryptocurrency Scam
Cyber Crime

John McAfee Charged with Fraud in Cryptocurrency Scam

U.S. DOJ warns of fake unemployment benefit websites stealing data
Cyber Crime

U.S. DOJ warns of fake unemployment benefit websites stealing data

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers
Cyber Attacks

Microsoft, FireEye report 3 new malware linked to SolarWinds hackers

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us