We increasingly use all kinds of GPS services, especially from our mobile devices. From the use of maps that allow us to easily go from one point to another to share our location, either on social networks or messaging clients such as WhatsApp or tag our photos. Localizers are also very popular today, devices that constantly monitor their location and then allow us to track directly on a platform. What we do not imagine is that this type of services can be much more dangerous than it seems if security flaws appear like Trackmageddon.
Trackmageddon was unveiled a few hours ago, a series of vulnerabilities discovered by two security researchers in multiple online GPS and location services. These GPS and location services are used in a wide variety of different devices, such as pet trackers, car trackers, child locators, sports tracking systems and any other device that has a tracking system. Most of these devices store the locations in a database so that they can be used by their own software, for example, to dump the data to a computer.
As security experts claim, Trackmageddon’s vulnerabilities can be used very easily to extract all kinds of information from the services affected by them, using both the default passwords used in most of these services, such as 123456, and exploiting failures. in the IDOR elements of the databases that allow access to other people’s information.
Exploiting the vulnerabilities, any user could, in addition to getting hold of the database, collect all kinds of information, such as the IMEI, the serial number and the MAC of the affected device, as well as personal information of the owner of the device, such as their data personal information and their telephone number, depending on the service used and its configuration. The way to extract the data varies according to the online services, so the best way to protect against these vulnerabilities is, directly, avoiding their use, at least until the vulnerabilities are solved.
How to check if our GPS locator or service is vulnerable to Trackmageddon
Security experts have worked months analyzing services and platforms and reporting security failures to those responsible for solving them, however, of the hundreds of tracking services analyzed, only 9 have assumed the security flaw and have launched a patch to solve these problems in the firmware.
Now they have encountered the dilemma of whether to make the list public or give manufacturers more time to solve the problem. Under normal conditions more time would be given, but the more time is given more personal information will be leaking users without knowing it.
Therefore, in the following link we can find a complete list with all the GPS services that are affected by these vulnerabilities so that any user can know if their service is safe or, otherwise, it can be leaking information without knowing , in which case it would be best to stop using these services.
In case we are using a vulnerable service it is recommended, first, to change our service password (and all other places where we use it), as well as remove all personal information that could be stolen through our profile. Trackmageddon security flaws.
Do you use any of these platforms vulnerable to Trackmageddon?