Leave a comment

Privacy and security flaws in devices that track your location

Privacy and security flaws in devices that track your location
photo courtesy of shutterstock

Cybercriminals are always on the prowl, creating havoc. Last week, there was a major cyberattack that shut down several major websites.

In most cybercrimes, the criminal is trying to get their hands on our personal information and steal our money. You won't believe what gadgets they are able to attack you with now.

If you're like me, you sometimes struggle with finding your keys, phone or wallet. The good news is there is technology now that helps eliminate that problem. There are tracking devices, about the size of a coin, that utilizes GPS to help find your missing items.

The bad news is criminals are able to steal your information from some of these gadgets. The trackers work by connecting to your gadget via Bluetooth. The tracker then uses GPS to find your lost item.

You also need an app to use the tracker, and they're compatible with both Apple's iOS and Google's Android mobile operating system. Here is where the problem lies. Critical security flaws have been found in apps created for the iPhone and iPad.

It's not just your location that the scammer is tracking. Some of these flaws are also exposing your personal data. Here is a list of trackers and the security flaws that were found in each of them:

Flawed trackers:

  • TrackR Bravo - This product's mobile app stores account passwords that are not encrypted. It also gives unauthenticated access to GPS information. This means scammers are able to access data without user credentials. To make matters worse, the tracking ID of the device is exposed and can be stolen by an attacker through Bluetooth if they are in the area. Since TrackR Bravo allows unauthenticated pairing, the scammer is able to link to your device and modify your data.
  • Zizai Tech's Nut tracker - This product's app also stores account passwords that are not encrypted. Another flaw is session tokens can be leaked during communication between the app and the web. This is because data is sent that is not secured. Scammers could use what's called a Man-in-The-Middle (MiTM) attack to steal the unsecured data and get full access to your account. Finally, the Nut app allows unauthenticated Bluetooth gadgets to write the tracker's attributes. This means the tracker's name can be changed by anyone, not just its registered user.
  • iTrack Easy - The first flaw is its tracking ID can be stolen by someone in the area through Bluetooth. The attacker can then register the tracker under a fake account and track the user by getting access to the GPS data. Second, this product does not use session cookies to maintain valid user sessions. This means the user's account can be compromised through a MiTM attack.

The thought of a criminal being able to find your exact location by GPS is scary. Having them steal your credentials is also frightening, as it opens the door to many other attacks.

An essential step to secure any Internet-of-Things (IoT), or smart gadget, is to secure your router. Read this article for some other helpful tips on how to protect IoT devices.

Also, if you own one of the trackers that were found to have flaws, you should contact the manufacturer to see if there are any security patches that will fix the flaws. If you're thinking about buying a tracker, make sure you do some research ahead of time to make sure it's secure.

Even though these flaws were only found with Apple products, it's probably only a matter of time before scammers infiltrate Androids. Keep checking in with our Happening Now section and we'll keep you informed of any updates.

Next Story
Source: ZDNet
View Comments ()
Huge font in your Facebook feed? It's not a glitch, here's why it's happening
Previous Happening Now

Huge font in your Facebook feed? It's not a glitch, here's why it's happening

Everything you missed from Microsoft's product launch event
Next Happening Now

Everything you missed from Microsoft's product launch event