GPS tracking vulnerabilities leave millions of products at risk

After months of failed notification attempts, only four website operators confirmed a fix

Malware virus

It's an IoT nightmare. One that is entirely preventable.

Two researchers have disclosed problems with hundreds of vulnerable GPS services using open APIs and trivial passwords (123456), resulting in a multitude of privacy issues including direct tracking. Further, many of the vulnerable services have open directories exposing logged data.

For some, the vulnerabilities discovered and disclosed by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368) aren't new. They were disclosed during Kiwicon in 2015 by Lachlan Temple, who demonstrated flaws in a popular car tracking immobilization device.

However, Tuesday's disclosure seriously widens the scope of the earlier research, including millions of devices on the market using A8 mini GPS trackers and S8 data line locators. Like many IoT gadgets, these devices are being sold by scores of white label re-sellers with little or no security.

What's exposed?

In a write-up – under the name "Trackmageddon" – Stykas and Gruhn outline their findings.

According to their research, the vulnerable services were exposing location information, device model and type information, IMEI numbers, phone numbers (where such information is used for the device in question), custom assigned names, audio recordings, and images.

For example: In addition to the verified data exposures, on gps958.com it is possible to access location history, send commands to the device (the same commands that would be sent via SMS), and activate or deactivate geo fencing alarms. No authentication needed.

When it comes to images and audio recordings, the exposures happened via open directories on the affected service's website.

Stykas and Gruhn first discovered a debugging interface, which allowed them to enter API queries in a web-form (similar to what Temple did in 2015). Once they knew what the API expected, they could query the API even on websites that did not expose the API in a publicly view able directory.

Months of work, for little progress:

Notifications started in November of 2017, and according to a timeline posted by the researchers, it was a slow process. The problems were compounded by the fact that most of the vulnerable services had no contact information, likely due to the fact that they are re-sellers.

At first, only one intermediate vendor – One2Track – responded and promptly fixed the problem over the weekend.

ThinkRace, one of the largest vendors for these GPS tracking devices, eventually agreed to fix four domains just hours before the public disclosure was to take place. This delayed disclosure by 24-hours.

The researchers believe that ThinkRace is the original developer of the location tracking online service and software, licensing it out to others. However, they don't have any control over the vulnerable websites that were discovered, other than the four they promised to fix.

Where do things stand?

Four domains are not vulnerable, and have addressed the problems. Fifteen domains (at the time this article was written) no longer respond to automated proof-of-concept testing, so they could be fixed, but the results are not conclusive.

Lastly, 79 discovered domains remain vulnerable. It's believed that the websites are mostly copied and pasted, but exactly how the services are spawned remains a mystery. Thus, it's possible there are other websites out there exposing data. While the researchers are confident they found all the vulnerable domains, they can't be 100-percent sure.

"We have 79 domains (including sub-domains) listed as still vulnerable. But we cannot eliminate the possibility that there are other sub-domains under a vulnerable domain. Neither can we rule out that there are more websites that exhibit the same vulnerabilities," Gruhn said in a recent interview with Salted Hash.

The advice to consumers is to change their passwords (if they're using the defaults, and if the service has been fixed); and remove as much personal information as possible from the device itself. Otherwise, it's best to stop using it.

"As long as the online service managing your device is still vulnerable changing your password will not matter and there is unfortunately not much you can currently do to protect yourself besides stopping to use the device," Gruhn wrote.

The full disclosure and advisories are available online.

NEW! Download the Winter 2018 issue of Security Smart