Trackmageddon flaws found in location tracking services

News by Rene Millman

Security researchers have warned that several GPS tracking services have flaws that could enable hackers to track users of these services.

Security researchers have warned that several GPS tracking services have flaws that could enable hackers to track users of these services.

The flaws were detailed by two security researchers, Vangelis Stykas and Michael Gruhn, in a report titled Trackmageddon. Devices affected include car, pet, and children trackers.

Among the vulnerabilities detailed are weak passwords, insecure APIs, and insecure direct object reference (IDOR) issues.

The researchers said that hackers could use the flaws to extract details such as a user's location, device model and type name, serial numbers (such as IMEI), an assigned phone number, and custom assigned name.

The researchers said that they have tried to contact the companies behind the affected tracking services, with mixed success at the beginning of November last year. So far only four services have fixed the flaws highlighted by the report. In some cases, these services provided no contact information, making private disclosure extremely difficult.

"We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users," said the researchers.

They said that a company called Thinkrace, they believed to be the original developer of the location tracking online service software and seller of licences to the software, eventually agreed to fix,, and (in addition to the already fixed,, and

They concluded that the historic location information of users does not pose a direct imminent critical risk to a user.

"Because, while it is true that an attacker can obtain location information from still vulnerable online services, this location information is at first anonymous. In order to de-anonymise a specific user, ie identify which device belongs to which user, an attacker must already know a specific user's location, or a likely location, eg the user's home, then correlate this known location with all locations queried from the online services," said the researchers.
Researchers said that around 79 domains remain vulnerable and researchers said that they could not eliminate the possibility that there are other sub-domains under a vulnerable domain. Researchers did not know if these services would be fixed.

"We could not establish communication with any of the “still vulnerable” online services and hence do not have any information on possible planned fixes. Hence, we assume there will be no fixes," they said.

According to researchers, the default password for these services seems to be 123456. 

"This default password will not adequately protect you, even if your device is managed by an online service that is not vulnerable. For you cannot change the password. The password seems to be hardcoded into the tracking device. However, the password seems to be six random digits, which provides slightly better protection than 123456," they said.

"As long as the online service managing your device is still vulnerable changing your password will not matter and there is unfortunately not much you can currently do to protect yourself besides stopping to use the device," they added.

Mark James, security specialist at ESET, told SC Media UK that data such as e GPS locations, along with times, could enable an attacker to tailor an attack, both digital or indeed physical, with optimum effectiveness.  "With this type of information, it shows a very clear footprint of your every move- something that, if exploited, could be the difference between a failed or successful attack," he said.

“An attacker with access to the data could use this information to determine your whereabouts and tailor a specific attack either with you, or without you present, depending on the attack vector.”

Crime & Threats

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews