Researchers have uncovered several vulnerabilities in online GPS and location services that would allow rogue parties to access the location data on devices linked to those services.
The white hats—Vangelis Stykas and Michael Gruhn—named the group of issues “Trackmageddon”, and explained that the affected domains are numerous and cover everything from smart dog collars to in-car navigation to kid-trackers—and plenty of things in-between.
The two found exposed APIs which allow an unauthenticated actor to take full control of the registered GPS tracking devices (to the same extent a legitimate owner of such a device can control the API). The two have developed proof-of-concepts (PoCs) that show how someone could extract the locations as well as associated phone numbers and device model types from the user database via the exposed API on each affected website. However, the flaws also allow the bad guys to update firmware and send commands to the devices.
The researchers think that the flaws all go back to one server code which has been copied over and over. Unfortunately, they have been striking out when it comes to contacting the affected vendors—most of whom don’t provide any contact information at all. One vendor, One2Track, was immediately responsive and deployed fixes quickly to the affected www.one2trackgps.com, kiddo-track.com and www.amber360.com. Another, Thinkrace, has fixed grapi.5gcity.com, wagps.net, www.wagps.net and love.iotts.net.
However, more than 100 have been unresponsive or impossible to track down (no pun intended), so the researchers decided to disclose the flaws after a bit of soul-searching. The issue is that bad actors can use Trackmageddon to discover real-time location data for individuals, including children, not just past geolocation histories.
"Our moral dilemma was that users cannot remove their location history. Only a vendor can do that," Gruhn told Bleeping Computer. "We disclosed because we rated the risk posed by attackers extracting live location data (that is an attacker knowing where you currently are every time you use the device) far higher than the risk posed by an attacker knowing where you have been in the past. So, users can now protect themselves from the far worse attacks by not using the devices, even if this means their location history remains exposed because vendors are not fixing this."
A full list of affected domains and what has been fixed/what hasn’t can be found here.