Security researchers warned of a serious vulnerability in a GPS service by the China-based firm ThinkRace exposes sensitive data in scores of GPS services, more than two years after the hole was discovered and reported to the firm. (Update: added comment from John van den Oever, the CEO of one2track B.V – PFR 1/3/2018)
Data including a GPS enabled device’s location, serial number, assigned phone number and model and type of device can be accessed by any user with access to the GPS service. In some cases, other information is available including the device’s location history going back 1 week. In some cases, malicious actors could also send commands to the device via SMS including those used to activate or deactivate GEO fencing alarms features, such as those used on child-tracking devices.
Hundreds of Thousands of Devices Affected
The vulnerabilities affect hundreds of thousands of connected devices that use the GPS services, from smart watches, to vehicle GPS trackers, fitness trackers, pet trackers and more. At issue are security holes in back-end GPS tracking services that go by names like amber360.com, kiddo-track.com, carzongps.com and tourrun.net, according to Michael Gruhn, an independent security researcher who noted the insecure behavior in a location tracker he acquired and has helped raise awareness of the widespread flaws. Working with researcher Vangelis Stykas, Gruhn discovered scores of seemingly identical GPS services, many of which have little security, allowing low-skill hackers to directly access data on GPS tracking devices.
Security Holes Noted – and Ignored
Alas, news about the security holes is not new. In fact, the security holes in ThinkRace’s GPS services are identical to those discovered by New Zealand researcher Lachlan Temple in 2015 and publicly disclosed at the time. Temple’s research focused on one type of device: a portable GPS tracker that plugged into a vehicle’s On Board Diagnostic (or OBD) port. However, Stykas and Gruhn say that they have discovered the same holes spread across a much wider range of APIs (application program interfaces) and services linked to ThinkRace.
Email and text messages sent to contacts at ThinkRace were not returned. The company has offices in both India and China.
Gruhn said that he and Stykas (re)discovered the security holes in October but struggled to contact and inform both ThinkRace and its customers about the flaws. Many of the GPS services affected by the flaw had inaccurate or missing contact information, while ThinkRace ignored inbound reports from the researchers for weeks before the company responded on December 31st, promising to fix the reported flaws in its service.
The researchers had better luck with One2Track, a Dutch maker of GPS enabled kids’ watches. After being contacted by the researchers, the company said in a statement that it fixed the security holes in the GPS service as they applied to its products within 48 hours of being notified of them and reported the issue to the Dutch Data Protection Authority.
One2Track did not respond to an email request for an interview prior to publication. In an email, John van den Oever, the CEO of one2track B.V. told The Security Ledger that his company has licensed ThinRace’s GPS services and that ThinkRace engineers still do “management, maintenance and customization” on the cloud platform that backs his company’s products. However, he said One2Track was in the process of switching from ThinkRace’s GPS service to one hosted on servers in Amsterdam at the time it was notified. That changeover is expected to take place in February, 2018.
Potentially millions of devices affected
Gruhn said that One2Track was unusual in its response to the researchers’ outreach. Few companies contacted by Gruhn and Stykas have responded in any way, leaving the researchers unsure of whether the flaw is being addressed in affected devices, or ignored.
Regardless, the impact of the flaws in the GPS services are considerable and may stretch beyond ThinkRace. Gruhn also noted references to a similar service, Yiwengps.com among the GPS services he studied. In all, the researchers identified more than 100 GPS services that were affected and unpatched. The number of devices that use these services isn’t known, but could number in the millions. Just one site, gpsui.net, acts as the master server for what Gruhn and Stykas estimate to be more 615,00 GSM and GPS location tracking devices.
The service is vulnerable to more than one authorization bypass attack – in which an attacker can access and interact with the GPS service without first entering a user name and password. Those, in turn, could open the door to so-called “privilege escalation” attacks that could expose all location tracking information stored by the site. Attackers could potentially send commands to and control all the connected devices that use the service.
ThinkRace’s website says that the company designs and manufactures “quality products such as GPS trackers, GPS watches, Pet Tracker, Car GPS Tracker (and) innovative security and fitness monitoring devices using wireless communications technologies.” It claims to support clients from vendors like Orange, STC, Huawei, Viettel and China Mobile and to provide “ultra-reliable safety tracking services in the form of 8,000,000 devices in a high scale system by working with Amazon AWS cloud platform.”
Gruhn notes that the flaws are worrisome given that many location trackers also sport embedded microphones.
“An attacker could push commands to register a new remote phone number to devices and set them to call the number when their surrounding noise threshold surpasses a particular level. This would allow an attacker not only to listen in on the 615,817 devices,” opening the user to violations of their personal privacy as well as scams, Gruhn wrote.
This is just the latest example of security risks resulting from third-party software and hardware providers. In 2016, for example, researchers at the firm Kryptowire warned that software made by Shanghai ADUPS Technology Co. and used in smart phones was transmitting user and device information to servers in China including text messages, contact lists, call history with full telephone numbers and so on. In May, security researchers at the firm Whitescope warned that software used to remotely program implantable cardiac devices by a number of vendors is rife with exploitable software vulnerabilities that leave the devices vulnerable to attacks and compromise.