Level 30
Feb 4, 2016
Operating System
Windows 8.1
Two security researchers —Vangelis Stykas and Michael Gruhn— have published a report on a series of vulnerabilities that they named "Trackmageddon" that affect several GPS and location tracking services.

These GPS tracking services are basic databases that collect geolocation data from smart GPS-enabled devices, such as pets trackers, car trackers, kids trackers, and other "[insert_name] tracker" products.

Data is collected on a per-device basis and stored in the database. Product manufacturers utilize these services as drop-in solutions for their smart devices, allowing them to support a GPS tracking feature for their product's software suite.

Trackmageddon flaws leak user info

The two researchers argue that an attacker could leverage the collection of flaws they discovered to collect geolocation data from the users of those services.

The flaws range from easy-guessable default passwords to exposed folders, and from unsecured API endpoints to insecure direct object reference (IDOR) flaws.

Stykas and Gruhn say an attacker can use the Trackmageddon vulnerabilities to extract data such as GPS coordinates, phone numbers, device data (IMEI, serial number, MAC addresses, etc.), and possibly personal data —depending on the tracking service and device configuration.
100+ tracking services failed to acknowledge and patch flaws
The two have been working for the past few months reaching out to the affected tracking services, but with little success, as only four services have implemented fixes to counteract the data leaks. In many cases, these tracking services did not have any contact information on their sites, making private disclosure almost impossible.

The research team said they faced a moral dilemma when it came to exposing the Trackmageddon flaws. Under general circumstances, they would have allowed companies more time to fix these issues, but they said went public with their research because these services were leaking sensitive customer information that some users would like to know about and possibly take action and have removed.
Check to see what's vulnerable and what's not
Researchers have released a list of services who fixed or may have fixed the flaws, a list of services still vulnerable, and a list of affected devices [Trackmageddon homepage, a security advisory for concerning and, and another security advisory concerning the other services].

Proof of concept code for exploiting the flaws has been redacted from the advisories to prevent any attempts of cyber-stalking.