Two security researchers —Vangelis Stykas and Michael Gruhn— have published a report on a series of vulnerabilities that they named "Trackmageddon" that affect several GPS and location tracking services.
These GPS tracking services are basic databases that collect geolocation data from smart GPS-enabled devices, such as pets trackers, car trackers, kids trackers, and other "[insert_name] tracker" products.
Data is collected on a per-device basis and stored in the database. Product manufacturers utilize these services as drop-in solutions for their smart devices, allowing them to support a GPS tracking feature for their product's software suite.
The two researchers argue that an attacker could leverage the collection of flaws they discovered to collect geolocation data from the users of those services.
The flaws range from easy-guessable default passwords to exposed folders, and from unsecured API endpoints to insecure direct object reference (IDOR) flaws.
Stykas and Gruhn say an attacker can use the Trackmageddon vulnerabilities to extract data such as GPS coordinates, phone numbers, device data (IMEI, serial number, etc.), and possibly personal data —depending on the tracking service and device configuration.
The two have been working for the past few months reaching out to the affected tracking services, but with little success, as only four services have implemented fixes to counteract the data leaks. In many cases, these tracking services did not have any contact information on their sites, making private disclosure almost impossible.
The research team said they faced a moral dilemma when it came to exposing the Trackmageddon flaws. Under general circumstances, they would have allowed companies more time to fix these issues, but they said went public with their research because these services were actively leaking sensitive customer information.
"Our moral dilemma was that users can not remove their location history. Only a vendor can do that," Gruhn told Bleeping Computer. "We disclosed because we rated the risk posed by attackers extracting live location data (that is an attacker knowing were you currently are every time you use the device) far higher than the risk posed by an attacker knowing where you have been in the past. So users can now protect themselves from the far worse attacks by not using the devices even if this means there location history remains exposed because vendors are not fixing this."
Researchers have released a list of services who fixed or may have fixed the flaws, a list of services still leaking data, and a list of affected devices [Trackmageddon homepage, a security advisory for concerning gpsui.net and vmui.net, and another security advisory concerning the other services].
Proof of concept code for exploiting the flaws has been redacted from the advisories to prevent any attempts of cyber-stalking.
Researchers also believe that most of the leaky tracking services are running a vulnerable version of the ThinkRace tracking location software, which many have adopted and incorporated. Stykas and Gruhn said they told the ThinkRace team of the issues they found, and the software vendor issued fixes.
Article updated with comments from researchers and to remove mention that Trackmageddon flaws can be used to collect MAC addresses.