(Published: 2018-01-02, Last update: 2018-01-10)

We found vulnerabilities in the online services of (GPS) location tracking devices.

These vulnerabilities allow an unauthorized third party (among other things) access to the location data of all location tracking devices managed by the vulnerable online services.

This document summarizes the issues and answers the main questions for still affected users. For the technical details you can read the technical advisories.

Unfortunately, we were only able to establish communication with One2Track, the intermediate vendor of www.one2trackgps.com. One2Track responded promptly outside regular business hours (on a Saturday) and implemented the fixes over the weekend (deployed the following Monday). One2Track has issued a statement for their customers regarding this disclosure.

Thinkrace, the company we believe to be the original developer of the location tracking online service software and seller of licenses to the software, but only operator of some of the vulnerable online services eventually agreed to fix manage.5gcity.com, grapi.5gcity.com, wagps.net, www.wagps.net and love.iotts.net (in addition to the already fixed www.one2trackgps.com, kiddo-track.com, and www.amber360.com) by 2018-01-02. However, as of 2018-01-05 there remains one unfixes online service for which Thinkrace is still working on a fix (see the list of still pending fixes).

On 2018-01-05 we received a statement from Thinkrace which we publish here verbatim as it was send to us (we asked them to put it on their own server so we could link to it to prevent any claims of us tempering with the statement, so in case we receive a link to a statement we will replace this statement with the link):

Security statement Thinkrace regarding disclosure ‘Trackmageddon’ (2 januari 2018): Our clients ease of user experiences and security are most important to us, which we are continuously improving. Thank you for pointing out the issues, we imediatly took action to solve the issues. we agreed to fix grapi.5gcity.com, wagps.net, www.wagps.net and love.iotts.net (in addition to the already fixed www.one2trackgps.com, kiddo-track.com, and www.amber360.com) by 2018-01-02, we are glad to fix that still work in our server so far. We also checking their system on other vulnerability’s and focus on provide high-level securiy devices. Thinkrace will be one of the GPS supplier much focus on security and high quality products, we are working to do better in the future.

We also updated our advisory with regard to our attribution of the sites to vendors (specifically Thinkrace).

On 2018-01-09 we were contacted by Yiwen Inc. They fixed their services and are currently updating services of their customers, which they say will be finished before 2018-01-13 (see the list of still pending fixes). Yiwen Inc. has issued a statement.

All online services (except 4, including www.one2trackgps.com) did not contain any contact information and contact attempts to the contact email addresses given in the WHOIS records of the domains were not answered either or answered by entities not responsible nor in direct control of the online services.

We therefore hereby informed the users of the still vulnerable online services of the potential privacy and security risks involved in continuing using the location tracking devices that are managed by the still vulnerable online services.

After public disclosure some affected vendors have reached out to us and are currently in the process of fixing.

Fixed online services (NOT vulnerable):

We received notifications and acknowledged that vendors have fixed (the issues we reported in) the following online services.

Maybe fixed online services (not vulnerable to our proof of concept exploits anymore, last checked 2018-01-07):

There have been several online services that stopped being vulnerable to our automated proof of concept code, but because we never received a notification by a vendor that they fixed them, it could be that the services come back online again as vulnerable.

Still vulnerable online services:

Pending fixes:

Thinkrace is working on a fix for the last service under their control. But because the code is old (from 2014) and therefore a fix is hard to develop they can’t give an estimate when this service will be fixed:

Unfixed (last checked 2018-01-09):

We could not establish contact any of the vendors of the online services below (yet) so we can not give any information on whether they will be fixed or not.

Am I affected?

If you manage your location tracking device via one of the above online services listed under “still vulnerable” or your location tracking device replies with an SMS containing a link to one of the domains listed under “still vulnerable” then you are affected.

What can/should I do?

Change your password for the online services!

The default password for these services seems to be 123456. This default password will not adequately protect you, even if your device is managed by an online service that is not vulnerable. For gpsui.net you can not change the password. The password seems to be hardcoded into the tracking device. However, the password seem to be 6 random digits, which provides slightly better protection than 123456.

Stop using still affected devices

As long as the online service managing your device is still vulnerable changing your password will not matter and there is unfortunately not much you can currently do to protect yourself besides stopping to use the device.

While your location history will remain publicly accessible via the vulnerable online service until it is fixed, shutdown or the data is deleted, by stopping to use the device you can prevent

  1. more of your personal data being exposed
  2. your live location being monitored (which we rate a much higher privacy and security risk than historic location data)
  3. other features of your location tracking device being abused.

If you use an OBD GPS tracker that allows to immobilize your car and it is managed via a vulnerable online service we urge you to immediately detach it from your car and stop using it.

Remove as much data as you can from the still vulnerable online services

If you have personalized your device, e.g. given it a custom name (e.g. your car brand), or assigned phone numbers via the online service, you should change and/or delete those. While the location history remains on the websites, there is no history (that we know of) for names or phone numbers assigned to devices. This way you are at least able to delete some of your private information from the still vulnerable online services.

If your device is managed via gpsui.net or vmui.net your location history is only stored for the past 7 days. Hence, not using the device for 7 days is enough to delete your location history from the online service. However, the last location can still be queried, hence, we advice you take the device away from a sensitive location to a place that does not threaten your privacy if revealed, e.g. a public parking lot, and activate the device for one last time. This way after 7 days the only exposed information will be the location of the public parking lot.

When will the still vulnerable online services be fixed?

We do not know.

We could not establish communication with any of the “still vulnerable” online services and hence do not have any information on possible planned fixes. Hence, we assume there will be no fixes. This is why we release this information to the public even though no fixes for all affected online services are available, see our disclosure rationale for more details on this decision.

Given that very similar (possibly even identical) issues have been found by “skooch” already in 2015 (see story by The Register and slides from Unrestcon) there may never be any fixes at all.

What is the impact of the vulnerabilities?

For a full technical summary of the impact and exploitation details we refer to the technical advisories. A summary of the impact and requirements by an attacker are as follows:

Verified

Due to the number of affected sites and the lack of test devices for all of them we could only verify the following for all affected online services:

An unauthorized third party can access

of all location tracking devices managed by a vulnerable online service.

For gpsui.net and vmui.net this requires the unauthorized third party to be authenticated, i.e. logged into the service as any user, but due to the vulnerability is able to access data and act on behave of other users. For the rest of the online services no authentication is required at all.

Partially verified

Via test devices we were able to verify the following for gpsui.net and www.gps958.com:

An unauthorized third party can

all location tracking devices managed by a vulnerable online service.

For gpsui.net this requires the unauthorized third party to be authenticated, i.e. logged into the service as any user, but due to the vulnerability is able to access data and act on behave of other users. For www.gps958.com no authentication is required at all.

Due to subtile API changes and different feature sets present in each different affected online service we can not say with certainty whether these additional attacks would also work against all affected online services, but we believe as long as the user interface of the online service offers a specific feature it can also be abused in the same fashion as we exploited the verified vulnerabilities against all online services.

On some online services directory listings on the website allow an unauthorized third party to access:

(we presume) location tracking devices. But please do not panic, we are certain that only devices which explicitly have this feature built-in upload images and audio and also only when this feature is actually used. But we did not have a device to test this. We only found the uploaded files.

Unverified

Other features potentially accessible by an unauthorized third party via the unsecured APIs that we could (due to the lack of a test device) not verify at all:

These last unverified potential vulnerabilities are not present in gpsui.net and vmui.net

Why do you disclose this before all online services are fixed?

We used to have a long disclosure rationale here, but because the situation has changed dramatically after we made the decision to disclose and we continuously evaluate the situation resulting in first cutting our initial communicated deadline shorter (due to lack of vendor response from still affected vendors) then in the end extending the deadline (due to sudden vendor responsiveness), in the end our disclosure rationale was read able anymore.

In the end, it boils down to this: We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users. We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.

We concluded that the historic location information of users does not pose a direct immanent critical risk to a user. Because, while it is true that an attacker can obtain location information from still vulnerable online services, this location information is at first anonymous. In order to de-anonymize a specific user, i.e. identify which device belongs to which user, an attacker must already know a specific user’s location, or a likely location, e.g. the user’s home, then correlate this known location with all locations queried from the online services. Eventually identifying a location tracking device potentially used by that particular user. Only at that point can an attacker manipulate and track a specific user’s device. It is at this point that we see the most immanent risk to a user because now their live location can be queried from their device.

Hence, a user that is not actively using a device that is managed by a still vulnerable site is protected from any more devastating direct critical risk, such as stalking or surveillance. Therefore the sooner users of the still vulnerable online services are informed the sooner they can protect themselves from potential attacks.

Do you think this disclosure was done wrong?

We understand that you may have a different opinion on how this should have been disclosed. In this case we would like to point out that many of the online services are still not fixed! Hence, we would like to use this perfect opportunity to invite you to try and inform the vendors yourself in a fashion that you think will get these online services fixed. Good luck! We really appreciate your help!

Technical advisories

Warning the technical advisories represent the state of the vulnerable online services as we first discovered them, we only updated the timelines in the advisories.

We redacted some information from the advisories, namely:

Even with our redacted information, technical experts in the field should be able to verify our findings with ease.

Acknowledgments

Vangelis @evstykas Stykas discovered the vulnerabilities.

We would also like to thank One2Track for their fast response and for helping us reach out to Thinkrace in an effort to dissipate the fixes deployed to www.one2trackgps.com to the other affected online services.

If you have any questions or need clarification you can reach out to me via Twitter (DMs are open no need to follow) or . I might not know all the answers though because this is quite a huge mess that we likely only scratched the surface.