Researchers find several security flaws in GPS
LONDON: Many GPS and location tracking services are vulnerable to a number of security flaws that could expose personally identifiable information, two security researchers have warned.
Vangelis Stykas and Michael Gruhn describe the series of flaws as ‘trackmagedden’ in a report into the key security problems they have found in many GPS tracking services.
These services are are used to harvest geolocation data from a range of connected devices, including kids trackers, car trackers and pet trackers, in order to enable their users to keep track of where they are.
Alarmingly, the researchers warn that security flaws in a number of these services could be exploited, enabling the attackers to steal geolocation data from the people who use these services.
“We found vulnerabilities in the online services of (GPS) location tracking devices,” said the researchers in a post detailing the vulnerabilities.
“These vulnerabilities allow an unauthorised third party (among other things) access to the location data of all location tracking devices managed by the vulnerable online services.”
The researchers said vulnerabilities include exposed folders, unsecured API endpoints, insecure direct object reference flaws and easy-to-guess passwords.
By exploiting these flaws, attackers can get access to information such as phone numbers, device IMEI and serial numbers, GPS coordinates and personal data.
Over the past few months, the researchers have been reaching out to potentially affected companies to ensure they understand the severity of these flaws.
They believe that many of these services could be using outdated versions of popular location tracking software ThinkRace, and strongly advise them to stay up-to-date.