There is hardly a day without any privacy-related incident, data breach or vulnerability disclosure. It turns out that even many of the GPS services we use on a daily basis are full of multiple vulnerabilities.
These vulnerabilities, dubbed Trackmageddon could allow an unauthorized third party access to the location data of all location tracking devices managed by the vulnerable online services.
Security researchers Vangelis Stykas and Michael Gruhm who discovered the flaws named them collectively Trackmageddon. The flaws are located in 103 online services which makes millions of devices vulnerable. It appears that these services are running vulnerable tracking location software developed and licensed by ThinkRace, an Indian GPS manufacturer.
Trackmageddon Vulnerabilities In Detail
As already mentioned, the flaws affect several GPS services that collect the geolocation of users using smart GPS-enabled devices like children trackers, car trackers and pet trackers. Researchers have reported that the flaws include elementary passwords, exposed folders, insecure API endpoints, among other issues.
In case the flaws are exploited, an unauthorized third party can obtain access to personal information that is collected by location tracking devices. This information is personally identifiable and it includes:
- GPS coordinates;
- Phone numbers;
- Device model and type;
- IMEI numbers;
- Custom assigned names;
- Photos and audio recordings uploaded by the location tracking devices.
Yes, you read correctly. Even photos and audio recordings are at risk of being exploited.
This is what the researchers wrote:
We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users. We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.
Read more about Trackmageddon here.