A duo of researchers stumbled across a series of vulnerabilities in literally hundreds of GPS services that leave sensitive GPS tracking data open to hackers. Dubbed “Trackmageddon” by the researchers, the vulnerabilities span a range of weaknesses that include default or easy-to-guess passwords, IDOR (Insecure Direct Object Reference) issues, insecure API endpoints, and data collection folders that are entirely unsecured.
The reason so many different tracking services are impacted is that most of them rely on the same online software to deliver their services, and that software (believed to be designed by ThinkRace, one of the largest vendors of GPS tracking devices) itself is flawed. As more and more companies license it, the issues spread, exposing the data of an increasing number of customers who are entirely in the dark about how vulnerable their location data is.
The researchers have made attempts to contact the vendors offering GPS tracking services with vulnerabilities, but so far, have met with only limited success. According to their report:
“We tried to give the vendors enough time to fix (also respond for that matter) while we weighed this against the current immediate risk of the users.
We understand that only a vendor fix can remove a user’s location history (and any other stored user data for that matter) from the still affected services, but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices, much higher than the risk of historic data being exposed.”
As to the types of data being exposed, it includes: GPS coordinates, phone numbers, IMEI numbers, device information, and depending on which online service is being used, a hacker could even gain access to audio, video, and photos uploaded by the device being used.
While extremely convenient, these services do carry significant risks. Use them at your own risk.