Hundreds of GPS Location Tracking Services Leaving User Data Open to Hackers

I like the catch phrase they've given this one

HACKMAGEDDON!

It's going from bad to worse. I just have a really bad feeling about all this stuff that's suddenly happening in cyber world.

Security researchers have unearthed multiple vulnerabilities in hundreds of GPS services that could enable attackers to expose a whole host of sensitive data on millions of online location tracking devices managed by vulnerable GPS services. The series of vulnerabilities discovered by two security researchers, Vangelis Stykas and Michael Gruhn, who dubbed the bugs as 'Trackmageddon' in a report, detailing the key security issues they have encountered in many GPS tracking services.

Trackmageddon affects several GPS services that harvest geolocation data of users from a range of smart GPS-enabled devices, including children trackers, car trackers, pet trackers among others, in an effort to enable their owners to keep track of where they are.

By exploiting these flaws, an unauthorized third party or hacker can get access to personally identifiable information collected by all location tracking devices, including GPS coordinates, phone numbers, device model and type information, IMEI numbers, and custom assigned names.

What's more? On some online services, an unauthorized third party can also access photos and audio recordings uploaded by location tracking devices. The duo said they have been trying to reach out to potentially affected vendors behind the affected tracking services for warning them of the severity of these vulnerabilities. According to the researchers, one of the largest global vendors for GPS tracking devices, ThinkRace, may have been the original developer of the flawed location tracking online service software and seller of licenses to the software.

If these guys think it's a dangerous, no doubt in my mind it is. Things are getting weird, like the pyramid is about to fall or something. What would they use this for if it fell into some evil jihadi out of blood and revenge on a night of drunken binging? The more things change.... you know the rest.

You can find the entire list of affected domains on the Trackmageddon report.

Why do you disclose this before all online services are fixed? We used to have a long disclosure rationale here, but because the situation has changed dramatically after we made the decision to disclose and we continuously evaluate the situation resulting in first cutting our initial communicated deadline shorter (due to lack of vendor response from still affected vendors) then in the end extending the deadline (due to sudden vendor responsiveness), in the end our disclosure rationale was read able anymore.

In the end, it boils down to this: We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users. We understand that only a vendor fix can remove user’s location history (and any other stored user data for that matter) from the still affected services but we (and I personally because my data is also on one of those sites) judge the risk of these vulnerabilities being exploited against live location tracking devices much higher than the risk of historic data being exposed.

What' been creepy as it is and likely exposing data for so long is Android cell phone apps. These are consented to, but the user downloading the app is thinking the only use of access to their phone's location, images, etc., just just for the app's platform and helping them chose ads for you.

Keep in mind, many of those apps can be made by anyone, and could very well be exposing info beyond just the app makers. Looking up the app on search can help determine if there's privacy violations noted by users. With ease of some technology comes annoying hassles.

a reply to: dreamingawake

The spider has spun it's web, and the traps been set. Zip forward 20 years and we've all be had, lied to, lied about and spent our lives online living the big lie.

Oh no! I've got bought my Domino's Pizza instant GPS-tracker order watch. Press the button and a pizza will be delivered within 30 minutes directly to my location.

a reply to: stormcell

I'd be wary of that, those hackers might take it. Or you could end up with a few dozen via a funny guy with too much time on his hands.

a reply to: Blender5L

– Dr Day’s futuristic talk "Everything Is In Place And Nobody Can Stop Us Now" as recorded by Lawrence Dunegan, MD

There are over 100 things Dr Day said would happen, this is just one of them.

DR Day said everything has two purposes. One is the ostensible purpose which will make it acceptable to people, and second is the real purpose which would further the goals of establishing the new system, among other things.

Mobile phones are acceptable to people, and second is the real purpose which would be track poeoples movements and their conversations. you win, they win but remember, it applies to just about all technology even this computer I am useing to write this with.

a reply to: Azureblue

Just keep your location turned to off until you actually need to use gps services.

a reply to: Azureblue

Yep.I never assume privacy or security re anything like cells and pc's and laptops etc.I live my life,let them listen if they so wish.I'm certainly not wasting a minute of my life worrying about it.

NAW....those are not vulnerabilities....that's a back door

left open for third party access....not unlike a voting machine in the U.S.

a reply to: dreamingawake

I used to download apps on this phone,an old Samsung J1 smartphone.I passed up on the ones who requested permission for microphone use,since i was downloading art apps thus absolutely no need for a mike permission.It is always a risk,but there are ones that are google play certified to be safer.I have a different view for myself personally re all this spying.Although i don't like it one lil bit,i am a lifelong abductee so i have been tagged,tracked and traced since birth.That type of thing gives one a more cavalier attitude re earthly spying i guess.

originally posted by: dragonridr
a reply to: Azureblue

Just keep your location turned to off until you actually need to use gps services.

Many of us do exactly that but its the young and the naieve who belive govt claims they are concerned for our physuical security and do not see the dark 'conspiracy' in what the people Dr Day represented had in mind.

I tell such people to put the govt professed concern for our physical secuity up against a compareable yard stick such as their level of concern for our financial security but still they dont see.

originally posted by: Raxoxane
a reply to: Azureblue

Yep.I never assume privacy or security re anything like cells and pc's and laptops etc.I live my life,let them listen if they so wish.I'm certainly not wasting a minute of my life worrying about it.

Thats fine Roxanne but the troulble is as someone once said; "those who have no interest in politics will be ruled by those who do."

Taking the view that you will not allow them to upset your life by not caring about what know about you is fine and is to be admired. However, it will surely mean they will rule you.

Prudence and history says the powerfull will always seek power over the powerless and as John Lennon once said, power corrupts and absolute power corrupts absolutley.

Please bear in mind that many think that just because people are rich they are therefore nice people too. Many of the people that want to rule us are not nice people at all and want to impose their own ideas about how the world should work.



stay safe

a reply to: Azureblue

Thank you Azure,and rest assured i do know that many super wealthy people are not nice.Especially the ones that play this planet and it's citizens like some obscene real life game of Monopoly.Since i was very very young,i knew that.I was adopted and raised by a strange,strange woman,who idolised the British and other royal families,and who was fascinated and besotted with the Rothschild family in particular.It was like she honestly believed vast wealth and power bestowed decency..even as a wee kiddie i found her worldview disturbing.I was myself a strange child,somehow i came into this world with a Knowing about certain things,including an innate and soul core deep aversion to religions.Just saying,as it pertains to Me personally it really is a moot point,the spying.

originally posted by: GBP/JPY
NAW....those are not vulnerabilities....that's a back door

left open for third party access....not unlike a voting machine in the U.S.

A back door they conveniently forgot to close?

a reply to: Raxoxane

Same I try to limit if they ask for permission for it, since I've been sucked into having to use one for work reasons, etc. I figure the following article pertains to the topic:

These apps, some of which are targeted at children, use software from a startup called Alphonso, which quietly collects data about people’s TV viewing habits and sells it on to advertisers.

Around 1,000 games and social apps reportedly use the software, with more than 250 of them available to download from Google Play and a smaller number also available from Apple’s App Store.

I'm sure it's probably more than that.

Source