The series of vulnerabilities discovered by two security researchers, Vangelis Stykas and Michael Gruhn, who dubbed the bugs as ‘Trackmageddon‘ in a report, detailing the key security issues they have encountered in many GPS tracking services.
Trackmageddon affects several GPS services that harvest geolocation data of users from a range of smart GPS-enabled devices, including children trackers, car trackers, pet trackers among others, in an effort to enable their owners to keep track of where they are. According to the researchers, the vulnerabilities include easy-to-guess passwords such as 123456, exposed folders, insecure API endpoints, and insecure direct object reference (IDOR) issues.
Which data are affected?
By exploiting these flaws, an unauthorized third-party or hacker can get access to personally identifiable information collected by all location tracking devices, including GPS coordinates, phone numbers, device model and type information, IMEI numbers, and custom assigned names.
http://www.gps958.com
http://m.999gps.net
http://www.techmadewatch.eu
http://www.jimigps.net
http://www.9559559.com
http://www.goicar.net
http://www.tuqianggps.com
http://vitrigps.vn
http://www.coogps.com
http://greatwill.gpspingtai.net
http://www.cheweibing.cn
http://car.iotts.net
http://carm.gpscar.cn
http://watch.anyixun.com.cn
http://www.007hwz.com
http://www.thirdfang.com
http://www.wnxgps.cn
http://binding.gpsyeah.net
http://chile.kunhigps.cl
http://portal.dhifinder.com
http://www.bizgps.net
http://www.gpsmarvel.com
http://www.mygps.com.my
http://www.mygpslogin.net
http://www.packet-v.com
http://login.gpscamp.com
http://www.tuqianggps.net
http://tuqianggps.net
http://www.dyegoo.net
http://tracker.gps688.com
http://www.aichache.cn
http://gtrack3g.com
http://www.ciagps.com.tw
http://www.fordonsparning.se
http://www.gm63gps.com
http://yati.net
http://www.mytracker.my
http://www.istartracker.com
http://www.twogps.com
http://www.xmsyhy.com
http://www.icaroo.com
http://mootrack.net
http://spaceeyegps.com
http://www.freebirdsgroup.com
http://www.gpsmitramandiri.com
http://www.silvertrackersgps.com
http://www.totalsolutionsgps.com
http://567gps.com
http://gps.tosi.vn
http://gps.transport-duras.com
http://thietbigps.net
http://mygps.co.id
http://www.gpsuser.net
http://www.mgoogps.com
http://www.gpscar.cn
http://www.aichache.net
http://www.gpsline.cn
http://2.tkstargps.net
http://ephytrack.com
http://www.squantogps.com
http://www.tkgps.cn
http://vip.hustech.cn
http://www.blowgps.com
http://www.zjtrack.com
http://fbgpstracker.com
http://gps.gpsyi.com
http://www.crestgps.com
http://www.spstrackers.com
http://en.gps18.com
http://en.gpsxitong.com
http://gps18.com
http://en2.gps18.com
http://ry.gps18.com
http://www.ulocate.se
http://classic.gpsyeah.com
http://www.gpsyeahsupport.top
http://gpsui.net
http://vmui.net
What to do now?
- Stop using the infected devices until this is fixed (by the mentioned services) and factor reset the device
- If you have a backup, use a backup
- Block the services via e.g. a HOSTS file
- Change your passwords
- Disable GPS tracking services if you don’t need them
- Install solutions like e.g. XLUA
According to the researchers, one of the largest global vendors for GPS tracking devices, ThinkRace, may have been the original developer of the flawed location tracking online service software and seller of licenses to the software. At this point while writing the article some domains are already fixed – but overall it only prevents new leaks, old data are still lost.
Resource
- Hundreds of thousands of engine immobilisers hackable over the net (theregister.co.uk)
- zxsecurity.co.nz whitepaper (pdf)
CK’s Technology News 
You must be logged in to post a comment.