Privacy and security problems in TrackR, iTrack Easy and Nut IoT trackers

Rapid7 researchers took aim at IoT trackers and found a plethora of security and privacy problems

Privacy and security problems in TrackR, iTrack Easy and Nut IoT trackers

People who tend to lose or misplace things may turn to “smart” trackers, tiny devices that can be attached to keys, TV remotes, just about anything, and then the Bluetooth-enabled tracker helps you find the “lost” item via a smartphone. Many have a crowdsourcing feature so other people on that tracker’s network can also help locate a missing item. But how secure are these IoT trackers? Two researchers at Rapid7 decided to find out.

Deral Heiland, principal security consultant at Rapid7, aka @Percent_X, and Adam Compton, senior security consultant at Rapid7, aka @tatanus, took aim at four different trackers: iTrack Easy, Nut Smart Tracker, TrackR Bravo and Tile. They looked at the devices, as well as the companion iOS apps, and found issues with each.

What made you hone in on trackers?

Heiland: I was curious seeing these devices attached to people’s keychains. After initially investigating and thinking about the potential privacy issues around the crowd GPS feature, I decided to look deeper at four of the products on the market.


Let’s start with the good news. Tile and its app did the best, however the researchers did find “a minor screenshot caching issue which does not appear to reveal private information.”

It goes downhill from here. At the time of writing, no vendor had issued any patches to mitigate the many security issues found even though the researchers reached out to the vendors back on August 25.

TrackR Bravo

The coin-sized TrackR Bravo uses Bluetooth and has a range of connectivity up to 100 feet. If the item isn’t found within that 100-foot range, then it also has a Crowd GPS feature so that “all TrackR-enabled phones will begin to search for that item.”

When investigating potential security and privacy items in the iOS TrackR app, the researchers discovered the account password is stored in cleartext.

TrackR Bravo app Password stored in cleartext

The app also allows a malicious actor to “access GPS data for any TrackR device from any web browsers without authentication.”

Additionally, the device allows unauthenticated pairing. An attacker could change the device ID as well as enable the device’s remote alarm, which would sound an audible alarm and drain the battery. Until the vendor patches, the researchers said users should keep in mind that using the TrackR device in public “will expose the device to malicious attacks.”

Device tracking ID exposed

The device tracking ID is exposed in both the TrackR and iTrack Easy. That might not sound too alarming, but what does it really mean?

If a bad actor were to get the device ID, what could he or she do with it?

Heiland: In the case of the TrackR Bravo, the tracker ID can be used to determine a person's GPS coordinates at any given time. No authentication is needed to access GPS data on the internet, and the tracker ID can be obtained by being in close proximity of the person with the device “50-75 feet.”

Heiland: In the case with the iTrack Easy device, once the tracker ID is captured, a malicious actor can then register it online. Once this is done, the GPS data of the original user can only be acquired when that person owning the iTrack device passes in proximity of another user with the iTrack Easy Mobile application, so full continued GPS tracking is unlikely.

Mitigation: Well a patch would be preferable, but until or if the vendor patches, users should be aware that using TrackR and iTrack Easy devices in public exposes the device ID.

iTrack Easy

If an item with a small Bluetooth-enabled iTrack Easy device cannot be located within a 30- to 50-meter (98 to 164 feet) line of sight range, there is a network of other users to help you find the missing item; you are notified when another iTrack users goes near the item.

Besides allowing an attacker to get the device ID and duplicate registration, the iTrack Easy app allows an attacker to write to getGPS data without needing any authentication. “This would allow a malicious actor to poison the GPS location data of a lost device.”

The iTrack app does not use session cookies, which would expire, so a malicious actor could “have full access to a user’s account.” A user would need to change the password to secure the account again. Users are warned against connecting to public Wi-Fi.

iTrack Easy issues

The researchers also found the account password used to authenticate to the cloud API is only base64 encoded and can be discovered.

Nut Smart Tracker

The Nut Smart Tracker for “forgetful” people creeped me out the most. All of the trackers and apps can be used to find lost or misplaced items, but the Nut additionally includes features to track people. Locate parents, kids, friends and even lovers are listed in Nut app scenarios. If you still can’t find the lost item, then the crowdsourced network consists of all Nut users, as well as 60 million WeChat users.

The Nut advertises, “Industry standard security encryption ensures you are the only one who can control your personal account.” Yet the researchers discovered the app stores the password in cleartext, that the session token leaks, and it allows unauthenticated Bluetooth connections to write to the device name attribute.

Nut Smart Tracker cleartext password

Some of the features of the Nut app include “add friends,” setting up a security perimeter for notifications if friends enter or leave the area, as well as check friends’ “footprint records in the last four weeks.”

So, if a user’s account was compromised, then the attacker/stalker would have the GPS data for any tracked device as well as the GPS data for any friends or family via the app?

Heiland: Potentially, yes. Compromise of the session data via mobile application communicating over a non-SSL connection would allow anyone with that session data to gain full access to the user’s account. This could typically take place if the Nut mobile application was used on an unsecure Wi-Fi, like in a coffee shop. Once that session data is compromised, the malicious actor would have access until the owner of the device logged out and back in using the Nut’s mobile application.

Rapid7’s full report on the IoT trackers’ vulnerabilities can be found here.

“With so many tracking devices and applications now on the market, it’s important that we as end users stay aware of the potential impact to privacy,” Heiland said. “This doesn’t mean we abandon IoT, just the opposite. By building a healthy understanding and respect for the use of these technologies, it will help us make better-informed decisions in relationship to our privacy.”

Copyright © 2016 IDG Communications, Inc.

8 pitfalls that undermine security program success