2 Years Later, Security Holes Linger In GPS Services Used By Millions of Devices

chicksdaddy quotes a report from The Security Ledger: Security researchers say that serious security vulnerabilities linger in GPS software by the China-based firm ThinkRace more than two years after the hole was discovered and reported to the firm, The Security Ledger reports. Data including a GPS enabled device's location, serial number, assigned phone number and model and type of device can be accessed by any user with access to the GPS service. In some cases, other information is available including the device's location history going back 1 week. In some cases, malicious actors could also send commands to the device via SMS including those used to activate or deactivate GEO fencing alarms features, such as those used on child-tracking devices.

The vulnerabilities affect hundreds of thousands of connected devices that use the GPS services, from smart watches, to vehicle GPS trackers, fitness trackers, pet trackers and more. At issue are security holes in back-end GPS tracking services that go by names like amber360.com, kiddo-track.com, carzongps.com and tourrun.net, according to Michael Gruhn, an independent security researcher who noted the insecure behavior in a location tracker he acquired and has helped raise awareness of the widespread flaws. Working with researcher Vangelis Stykas, Gruhn discovered scores of seemingly identical GPS services, many of which have little security, allowing low-skill hackers to directly access data on GPS tracking devices.

Alas, news about the security holes is not new. In fact, the security holes in ThinkRace's GPS services are identical to those discovered by New Zealand researcher Lachlan Temple in 2015 and publicly disclosed at the time. Temple's research focused on one type of device: a portable GPS tracker that plugged into a vehicle's On Board Diagnostic (or OBD) port. However, Stykas and Gruhn say that they have discovered the same holes spread across a much wider range of APIs (application program interfaces) and services linked to ThinkRace.

Not this again

[jabberw0k]

...vulnerabilities linger in a GPS software...

You do not install "a hardware" -- you do not wear "a clothing" or eat "a toast" or read "an information" -- and there is no such thing as "a software" -- thank you.

Agree! uncountable nouns, especially "email"

[KWTm]

Thank you for pointing this out, but the most grievous disregard for the difference between countable and uncountable nouns is "email", as in "I received 3 emails this morning." But no one says "I received 3 mails this morning," since it's quite apparent that "mail" (and hence "electronic mail", or "e-mail") doesn't take any plural form.

This is a ignorance that really bugs me. :P (And if anyone wants to say that I should have said "AN ignorance", warn me first so I can barf.)

Re:

[AndroSyn]

But no one says "I received 3 mails this morning,"

The reason being mail is the SERVICE that delivers letters and parcels. You'd say "I received 3 letters this morning".

I hate to break it to you, but the rest of the world considers email to be both uncountable in the case of email as the SERVICE that delivers the email and countable as in the emails(nobody calls them letters) that is delivered via the uncountable email service.

This link explains it better than I can Explaination for emails [stackexchange.com]

Prescriptivism isn

Shocking news: GPS access gives GPS access!

[mspohr]

So, if you have access to the GPS service, you can access GPS information including location and the device model, etc.
Also, if you have access to the GPS service, you can send it GPS type commands... shocking!

Isn't this the way it's supposed to work?

It’s access to all devices managed by the se

[Picodon]

Michael Gruhn’s report on the vulnerability [0x0.li] (linked in the article) has more information and is more understandable (to me) than the article itself.

Choice excerpts:

“An unauthorized third party can access: the location, model/type name, serial number (i.e. IMEI), assigned phone number, custom assigned name... of all location tracking devices managed by a vulnerable online service.”

“An unauthorized third party can: access the location history; send commands; activate and/or deactivate

Re:

[mspohr]

Thanks for the additional information. I suspected I was missing something.

Re:

[arglebargle_xiv]

What's not mentioned in the writeup is how totally dysfunctional the market is when it comes to these security vulns. If this had been anything else, e.g. a safety issue in some consumer product, then there'd be a major recall, fines, media coverage, you name it. In this case, with a serious security vuln, the vendor basically ignored it, and nothing happened.

And that's why the IoS is in the state it is. You can't make a product so unsafe/insecure that people won't keep buying it.

Re:

[MaryannG]

My family uses a tracking app on our phones (so we can see when kids get home, where they are, etc) but I'm not clear on what this "vulnerability" amounts to. If it allowed them access to stored data for other apps on the phones that would be concerning but it doesn't appear to do that. Hope someone can explain this one better.

No security - so what?

[FeelGood314]

If a device has no meaningful security and was never designed to have any you can't call it a vulnerability. An open park with no fence doesn't have a vulnerability to people walk on it. I find a lot of these vulnerabilities are simply some people thinking that such and such a device should be secure against something they think is a threat. I'm vulnerable to every car that passes me as I walk down the street, should we put up a barrier around every road? Sure someone could hack these devices but no one