Trackmageddon exposes millions of GPS tracking devices

Vulnerabilities dubbed “Trackmageddon” were discovered in online services of (GPS) location tracking devices. The vulnerabilities could allow third parties unauthorized access to location data of all location tracking devices managed by a vulnerable online service.

Other types of data impacted include, serial number (i.e., IMEI), assigned phone number, model/type name and custom assigned names. The latter two features were not present in on gpsui.net and vmui.net. 

The discovery was made by security researcher Vangelis tix Stykas (@evstykas) and Michael Gruhn (@0x6d696368) who disclosed the vulnerabilities to One2Track, an intermediate vendor of www.one2trackgps.com.

According to Stykas, One2Track deployed the fixes over the weekend and the company issued a statement shortly afterwards. One2Track makes GPS phone watches for children and the elderly.

Thinkrace, one of the largest vendors for these GPS tracking devices, agreed to fix four (4) additional websites that they operate by January 2nd to include: grapi.5gcity.com, wagps.net, www.wagps.net and love.iotts.net. This is in addition to the already fixed sites www.one2trackgps.com, kiddo-track.com and www.amber360.com.

Other website owners could not be contacted yet by the researchers since site ownership details and contact information were not readily available at the time of the disclosure. 

Stykas called out Thinkrace as the most likely original developer of the location tracking online service software and seller of licenses to the software. 

Also, similar vulnerabilities in car tracking devices were presented by security researcher Lachlan Temple (@skooooch) at the 2015 Kiwicon security conference. However, the scope and impact have widened considerably to potentially millions of Internet of Things (IoT) devices that use such online trackers and locators. 

Check out the security advisory for more details to include which online tracking services and domains are still vulnerable. Affected users should stop using the devices until vulnerabilities are confirmed fixed. Also, check out Steve Regan’s article and further analysis of the GPS tracking vulnerabilities on CSO Online. 

Leave a Reply