Trackmadeddon attack puts millions of vulnerable GPS trackers at risk of data exposure.
According to a research conducted by two security experts by Vangelis Stykas (@evstykas) and Michael Gruhn (@0x6d696368), a majority of location tracking devices are flawed and vulnerable to exploitation. There are versatile devices such as child or pet trackers, fitness monitoring gadgets and automobile trackers that work using GPS and GSM tracking capabilities. Services that offer photo and audio recording facility are also on the list of.
As per their findings, these devices are managed by different online services that offer location tracking devices. However, these devices cannot be trusted because exposure of sensitive information is a possibility.
Reportedly, hundreds of GPS services are vulnerable, most of which use open APIs and weak passwords, such as 123456. This ignorance has led to a wide range of privacy issues, for instance, direct tracking, while logged data is exposed due to open directories of these services. More than 100 vulnerable services were identified by the security experts while it was identified that the devices could be attacked by cybercriminals to access personal data.
Attackers need to exploit the default credentials of a device or weakly protected insecure direct object reference (IDOR) flaws in order to access personal information. These features are responsible for allowing access to other accounts of the user by changing the URL parameter value.
The security flaws have been dubbed as Trackmadeddon. The information exposed by the devices includes location history and current location, phone number, model, type and IMEI number of the device and audio recordings and images. Moreover, it is also possible to activate or deactivate certain features of a device (for e.g., geofence alerts) by sending out commands. Attackers can also expose information via log files, directory listings, publicly exposed API endpoints, source code and WSDL files. The software was probably provided by the Chinese firm ThinkRace.
To read the original article: