Security researchers have published a report on a series of flaws that they called “Trackmageddon” that affect many GPS and location tracking services. These security flaws could allow cybercriminals to reveal sensitive data on millions of online location tracking devices controlled by vulnerable GPS services.
Cybercriminals can use the Trackmageddon flaws to expose information such as GPS coordinates, location history, device model and type, serial number, mobile number and maybe private data —depending on the tracking service and device configuration.
They can obtain access to data by using the default credentials (like “123456”), and insecure direct object reference vulnerabilities, which enable an authenticated attacker to access other users’ accounts simply by modifying the value of a parameter in the URL.
The researchers tried to contact the vendors behind the affected tracking services to informing them of the severity of these security flaws. They have published a list of services who patched or may have patched the vulnerabilities, a list of services still exposing data, and a list of vulnerable devices.
According to researchers:
As long as the online service managing your device is still vulnerable changing your password will not matter and there is unfortunately not much you can currently do to protect yourself besides stopping to use the device.