Recently, two information security researchers, Vangelis Stykas and Michael Gruhn have discovered series of faults with numerous vulnerable GPS services using open APIs and trivial passwords. The series of vulnerabilities on the GPS services have compromised numerous GPS and location tracking services. Named as "Trackmageddon" by the security researchers, the vulnerability has enabled attackers across the world to expose a huge bundle of sensitive data on millions of online location tracking devices managed by vulnerable GPS services.
All these vulnerable GPS tracking services are basic databases that collect geolocation data from users’ GPS devices and these data are collected on a per-device basis.
According to Vangelis and Michael, a hacker could get hold of all the collection of flaws they discovered to collect geolocation data from the users of those vulnerable GPS services. The flaws in the devices range from easily guessable default passwords to exposed folders, and from unsecured API endpoints to insecure direct object reference (IDOR) flaws.
“A hacker can use the Trackmageddon vulnerabilities to extract data such as GPS coordinates, phone numbers, device data and possibly personal data —depending on the tracking service and device configuration,” said Vangelis and Michael.
What’s more to it?
By exploiting these flaws, an unauthorized third party or hacker can also access photos and audio recordings uploaded by location tracking devices.
The duo said they are trying to contact all the potentially affected vendors behind Trackmageddon for warning them of the severity of the vulnerabilities. Also, the two researchers believe that one of the biggest global vendors of GPS devices, ThinkRace, might be the original creator of the flawed location tracking service software.
“We understand that only a vendor can fix and remove user’s location history from the pwned services but we judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historical data being exposed.”