IoT tracking tech creates stalker risk
Tracking devices that connect to iPhones, Androids and iPads are riddled with vulnerabilities.
Security researchers at Rapid7 discovered that many devices store account passwords in cleartext. Unauthenticated pairing is another security issue.
Other vulnerabilities enable hackers to gain access to GPS data on a user’s location.
Finally, web-based weaknesses would allow a malicious actor to gain full access to a user’s account.
Tracker devices allow consumers to locate valuable items such as their keys, wallet, or phones and to track them in cases where they might be stolen.
Three devices were accessed: the TrackR Bravo from TrackR; the iTrack Easy from KKMCM; and Nut from Zizai Tech.
TrackR Bravo presented the worst security risk but all exhibited multiple problems.
The TrackR Bravo – the most widely used device of its type – could easily to abused by stalkers, Rapid7 warns.
An attacker could use the devices to stalk someone.
If someone is using the device (TrackR Bravo) a malicious actor could discover users with these devices in a crowd, using easily available bluetooth lower energy (BLE) apps for their smart phone.
Once a vulnerable device is found in a crowd, a malicious actor could narrow it down to the actual person by accessing the device to set off the device alarm.
The malicious actor could then track the owner of the device (TrackR Bravo) by using the device ID, also available via BLE, to track them online using there GPS coordinates generated by the device/mobile app functions.
To some extent the iTrack Easy device is also vulnerable to a similar scenario.
Smiles for Tiles
The Tile App from Tile, Inc was also examined, but no flaws were discovered, aside from a minor screenshot-caching issue, which presented no security issue.
As for the other devices a product upgrade is likely to be needed to mend the flaws. Rapid7 “researchers do not expect these devices to be patchable … hopefully future releases of this product will address these issues”.
El Reg invited TrackR, KKMCM and Zizai Tech to comment but at time of writing we have yet to hear back from any of the IoT kit suppliers. ®