Trackmageddon Vulnerabilities Discovered services of location tracking
Security experts Vangelis Stykas and Michael Gruhn found vulnerabilities in the online services of location tracking devices (GPS) that are called Trackmageddon. Attackers can gain access to information by authorization bypasses, exploiting default passwords (e.g. 123456), and insecure direct object reference (IDOR) flaws, which allow an authenticated user to access other users' accounts simply by changing the value of a POST parameter in the URL.
These vulnerabilities allow an attacker to access the information such as current location, location history, device model and type, serial number, phone number and etc.
The site gpsui.net which facilitates the master server for (to our knowledge around 615,817 devices) GSM and GPS location tracking devices, is vulnerable to multiple authorization bypasses allowing horizontal escalation of privileges which lead to the disclosure of all location tracking information stored by the site as well as controlling all the connected devices.
This is especially worrisome, because this site is also used by location trackers with embedded microphones. An attacker could push commands to register a new remote phone number to devices and set them to call the number when their surrounding noise threshold surpasses a particular level. This would allow an attacker not only to listen in on the 615,817 devices, but could also allow him to monetize on them by making them call an attacker control service number and by that gaining from the service fees.
CWE of this vulnerability is 639 that is about Insecure Direct Object References and Authorization bypass through user-controlled key.
The vulnerable software appears to come from China-based ThinkRace, but in many cases the company does not have control over the servers hosting the tracking services
There are roughly 100 vulnerable domains that are listed below:
It is recommended, Users don't register on this vulnerable domain but if they have registered on these domains stop using GPS on affected devices until patches are rolled out, change their password and choose strong password, remove any potentially sensitive information stored in their account.
Unfortunately there is no option to delete the stored tracking history from the server by the user so all users remain exposed until a vendor fix.