Jump to content
Fi8sVrs

Multiple vulnerabilities in the online services of (GPS) location tracking devices

By Fi8sVrs, in Stiri securitate

Recommended Posts

  • Active Members
Fi8sVrs Rookie

Fi8sVrs

Posted
  • Active Members
Posted

(Published: 2018-01-02, Last update: 2018-01-04)

We found vulnerabilities in the online services of (GPS) location tracking devices.

These vulnerabilities allow an unauthorized third party (among other things) access to the location data of all location tracking devices managed by the vulnerable online services.

This document summarizes the issues and answers the main questions for still affected users. For the technical details you can read the technical advisories.

Unfortunately, we were only able to establish communication with One2Track, the intermediate vendor of www.one2trackgps.com. One2Track responded promptly outside regular business hours (on a Saturday) and implemented the fixes over the weekend (deployed the following Monday). One2Track has issued a statement for their customers regarding this disclosure.

Thinkrace, the company we believe to be the original developer of the location tracking online service software and seller of licenses to the software, but only operator of some of the vulnerable online services eventually agreed to fix grapi.5gcity.com, wagps.net, www.wagps.net and love.iotts.net (in addition to the already fixed www.one2trackgps.com, kiddo-track.com, and www.amber360.com) by 2018-01-02.

All online services (except 4, including www.one2trackgps.com) did not contain any contact information and contact attempts to the contact email addresses given in the WHOIS records of the domains were not answered either or answered by entities not responsible nor in direct control of the online services.

We therefore hereby inform the users of the still vulnerable online services of the potential privacy and security risks involved in continuing using the location tracking devices that are managed by the still vulnerable online services.

Fixed online services (NOT vulnerable):

We received notifications and acknowledged that vendors have fixed the following online services.

Still vulnerable online services:

Maybe fixed online services (not vulnerable to our proof of concept exploits anymore):

There have been several online services that stopped being vulnerable to our automated proof of concept code, but because we never received a notification by a vendor that they fixed them, it could be that the services come back online again as vulnerable.

Pending fixes:

We have been told by the vendor that these online services will be fixed by 2018-01-02 16:00 UTC. These online services are currently still vulnerable but the vendor is in the process of fixing. We will update as soon as the vendor notifies us and we can verify fixes.

  • http://wagps.net (partially fixed, directory listings removed, API still openly accessible)
  • http://www.wagps.net (partially fixed, directory listings removed, API still openly accessible)
  • http://love.iotts.net (partially fixed, directory listings removed, API still openly accessible)

Unfixed:

Am I affected?

If you manage your location tracking device via one of the above online services listed under “still vulnerable” or your location tracking device replies with an SMS containing a link to one of the domains listed under “still vulnerable” then you are affected.

What can/should I do?

Change your password for the online services!

The default password for these services seems to be 123456. This default password will not adequately protect you, even if your device is managed by an online service that is not vulnerable. For gpsui.net you can not change the password. The password seems to be hardcoded into the tracking device. However, the password seem to be 6 random digits, which provides slightly better protection than 123456.

Stop using still affected devices

As long as the online service managing your device is still vulnerable changing your password will not matter and there is unfortunately not much you can currently do to protect yourself besides stopping to use the device.

While your location history will remain publicly accessible via the vulnerable online service until it is fixed, shutdown or the data is deleted, by stopping to use the device you can prevent

  1. more of your personal data being exposed
  2. your live location being monitored (which we rate a much higher privacy and security risk than historic location data)
  3. other features of your location tracking device being abused.

If you use an OBD GPS tracker that allows to immobilize your car and it is managed via a vulnerable online service we urge you to immediately detach it from your car and stop using it.

Remove as much data as you can from the still vulnerable online services

If you have personalized your device, e.g. given it a custom name (e.g. your car brand), or assigned phone numbers via the online service, you should change and/or delete those. While the location history remains on the websites, there is no history (that we know of) for names or phone numbers assigned to devices. This way you are at least able to delete some of your private information from the still vulnerable online services.

If your device is managed via gpsui.net or vmui.net your location history is only stored for the past 7 days. Hence, not using the device for 7 days is enough to delete your location history from the online service. However, the last location can still be queried, hence, we advice you take the device away from a sensitive location to a place that does not threaten your privacy if revealed, e.g. a public parking lot, and activate the device for one last time. This way after 7 days the only exposed information will be the location of the public parking lot.

When will the still vulnerable online services be fixed?

We do not know.

We could not establish communication with any of the “still vulnerable” online services and hence do not have any information on possible planned fixes. Hence, we assume there will be no fixes. This is why we release this information to the public even though no fixes for all affected online services are available, see our disclosure rationale for more details on this decision.

Given that very similar (possibly even identical) issues have been found by “skooch” already in 2015 (see story by The Register and slides from Unrestcon) there may never be any fixes at all.

What is the impact of the vulnerabilities?

For a full technical summary of the impact and exploitation details we refer to the technical advisories. A summary of the impact and requirements by an attacker are as follows:

Verified

Due to the number of affected sites and the lack of test devices for all of them we could only verify the following for all affected online services:

An unauthorized third party can access

  • the location
  • model/type name (feature not present on gpsui.net and vmui.net)
  • SN (serial number, i.e. IMEI)
  • assigned phone number
  • custom assigned name (feature not present on gpsui.net and vmui.net)

of all location tracking devices managed by a vulnerable online service.

For gpsui.net and vmui.net this requires the unauthorized third party to be authenticated, i.e. logged into the service as any user, but due to the vulnerability is able to access data and act on behave of other users. For the rest of the online services no authentication is required at all.

Partially verified

Via test devices we were able to verify the following for gpsui.net and www.gps958.com:

An unauthorized third party can

  • access the location history of (1 week for gpsui.net, indefinitely for www.gps958.com)
  • send commands (the same that can be send via SMS) to
  • activate and/or deactivate geo fencing alarm of

all location tracking devices managed by a vulnerable online service.

For gpsui.net this requires the unauthorized third party to be authenticated, i.e. logged into the service as any user, but due to the vulnerability is able to access data and act on behave of other users. For www.gps958.com no authentication is required at all.

Due to subtile API changes and different feature sets present in each different affected online service we can not say with certainty whether these additional attacks would also work against all affected online services, but we believe as long as the user interface of the online service offers a specific feature it can also be abused in the same fashion as we exploited the verified vulnerabilities against all online services.

On some online services directory listings on the website allow an unauthorized third party to access:

  • images uploaded by
  • audio recordings uploaded by

(we presume) location tracking devices. But please do not panic, we are certain that only devices which explicitly have this feature built-in upload images and audio and also only when this feature is actually used. But we did not have a device to test this. We only found the uploaded files.

Unverified

Other features potentially accessible by an unauthorized third party via the unsecured APIs that we could (due to the lack of a test device) not verify at all:

These last unverified potential vulnerabilities are not present in gpsui.net and vmui.net

Why do you disclose this before all online services are fixed?

We used to have a long disclosure rationale here, but because the situation has changed dramatically after we made the decision to disclose and we continuously evaluate the situation resulting in first cutting our initial communicated deadline shorter (due to lack of vendor response from still affected vendors) then in the end extending the deadline (due to sudden vendor responsiveness), in the end our disclosure rationale was read able anymore.

In the end, it boils down to this: We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users. We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.

We concluded that the historic location information of users does not pose a direct immanent critical risk to a user. Because, while it is true that an attacker can obtain location information from still vulnerable online services, this location information is at first anonymous. In order to de-anonymize a specific user, i.e. identify which device belongs to which user, an attacker must already know a specific user’s location, or a likely location, e.g. the user’s home, then correlate this known location with all locations queried from the online services. Eventually identifying a location tracking device potentially used by that particular user. Only at that point can an attacker manipulate and track a specific user’s device. It is at this point that we see the most immanent risk to a user because now their live location can be queried from their device.

Hence, a user that is not actively using a device that is managed by a still vulnerable site is protected from any more devastating direct critical risk, such as stalking or surveillance. Therefore the sooner users of the still vulnerable online services are informed the sooner they can protect themselves from potential attacks.

Do you think this disclosure was done wrong?

We understand that you may have a different opinion on how this should have been disclosed. In this case we would like to point out that many of the online services are still not fixed! Hence, we would like to use this perfect opportunity to invite you to try and inform the vendors yourself in a fashion that you think will get these online services fixed. Good luck! We really appreciate your help!

Technical advisories

Warning the technical advisories represent the state of the vulnerable online services as we first discovered them, we only updated the timelines in the advisories.

We redacted some information from the advisories, namely:

Even with our redacted information, technical experts in the field should be able to verify our findings with ease.

Acknowledgments

Vangelis @evstykas Stykas discovered the vulnerabilities.

We would also like to thank One2Track for their fast response and for helping us reach out to Thinkrace in an effort to dissipate the fixes deployed to www.one2trackgps.com to the other affected online services.

If you have any questions or need clarification you can reach out to me via Twitter (DMs are open no need to follow). I might not know all the answers though because this is quite a huge mess that we likely only scratched the surface. I will also likely prioritize press inquires first (to support responsible reporting) instead of individual user questions, thank you for your understanding.

 

Source: https://0x0.li/trackmageddon/

  • Upvote 2
Link to comment
Share on other sites
gutui Newbie

gutui

Posted
Posted

http://www.navy.mil/submit/display.asp?story_id=103130

https://www.reuters.com/article/us-usa-navy-collisions/ex-u-s-navy-officers-face-negligent-homicide-charges-over-ship-collisions-idUSKBN1F6017

 

in mijlocul a nicaieri, 2 nave se ciocnesc... in 2 incidente diferite.... GPS -ul a functionat ?

 

un gind stingher ma poarta la cele 2 alarme false de atac nuclear,  Hawai si dupa 4 zile, Japonia... GPS satelite implicat?

 

probabil e efectul nerodisruptorului MSG consumat in zona... :D

 

 

 

Link to comment
Share on other sites
gigiRoman Proficient

gigiRoman

Posted
Posted

Defapt vulnerabilitatea era la tracking services.

Ca device-ul nu se apuca sa trimita date aiurea catre orice server.

Si avand cartela sim e in spatele unui nat.

Ei au gasit vulnerabilitati in serverul catre care trimiteau deviceurile.

Trackerele se seteaza in principiu prin usb sau prin sms si poti sa ii pui verificarea nr de tel de la care vine solicitarea.

Dar fiindca prostii aia nu si-au securizat siteul...

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...