Update: TrackR has responded to Rapid7’s disclosure.
First, it said it has addressed the authentication issue months ago, but the deprecated call remained online even though it was no longer used by its apps. “We are grateful that Rapid7 brought this possible point of confusion to our attention; as of yesterday, that call has been completely removed but no consumers have had access since we became aware of this issue in the spring,” the company told Threatpost.
It also said its products broadcasting on unique identifiers is by design common to tracking devices with Crowd GPS capabilities as a power efficiency feature. “There is no user data stored in the device and enabling connection only allows for nearby users to ring the device,” the company said. “When the device is nearby the user, the device doesn’t advertise.”
TrackR has also submitted updates to address plaintext passwords on its iOS datastore and its insecure data calls.
Small Bluetooth-enabled trackers that loop onto your keyring or attach to anything important you might lose are the latest connected devices to pose a risk to users.
Trackers made by TrackR, iTrack and Nut suffer not-so-equally from a variety of privacy issues. They leak their location data, allow for unauthenticated Bluetooth pairing, send passwords in the clear, and perpetually keep session tokens alive among other problems that may not be so easy to fix.
“Unfortunately, I think it’s a complex fix,” said Rapid7 researcher Deral Heiland, who along with colleague Adam Compton, today published an advisory. Of the three vendors named in the advisory, only TrackR acknowledged receiving Rapid7’s private disclosure, Heiland said. None, however, have moved forward with a patch or mitigation for any of the issues.
“These are consumable devices; you spend $25 on it, and if there’s a problem, throw it away and get another,” Heiland said. “I don’t believe there is a solid mechanism for upgrades actually in place in the hardware. To change the pairing process to be more secure, or to change the tracking key seems to be more difficult in existing devices. I believe that going forward, this would be fixed in a version-2 type of thing.”
These small Bluetooth devices work in conjunction with a mobile iOS or Android application and can be used to track lost or misplaced items such as keys or a wallet. The app uses GPS positioning, or Bluetooth if within close proximity, to locate lost items and set off an audible alarm or show its location on a mapping application such as Google Maps.
Heiland told Threatpost that TrackR’s Bravo product had the most severe privacy issues, and that those were relatively simple to exploit. One particularly worrisome problem is that the TrackR Bravo device ID is easily obtained by someone using a Bluetooth low energy application that monitors for BLE devices. The device ID, Rapid7 said, is constructed from the manufacturer identifier (four zeros in this case) and the device’s mac address in reverse.
“You can feed that into the web interface, which has no security on the Internet, and get the device’s GPS location,” Heiland said.
The web interface, Heiland said, is part of the product’s functionality and is used to feed device and GPS data to the web application. However, authentication isn’t required to access the GPS data. The device also allows unauthenticated pairing, allowing nearby BLE connections from anyone aside from the registered user.
“You can easily track somebody,” he said. “If you have someone unscrupulous in a crowd ID a TrackR Bravo device, pair with it and set off the alarm remotely. You now know who has the device.”
Despite the difficulty in patching, the risk is relatively low to most.
“Our approach was an awareness thing,” Heiland said. “Everyone can accept the risk based on their comfort factor. For most there is minimal risk. If I was someone in a position of authority, that would pose a higher level of risk. If I were a government official or executive at an important company, I may have reservations about using these products. If you don’t have an imminent threat, personally I don’t see an issue.”
Heiland said the privacy issues he and Compton found in iTrack Easy and Nut devices are not as excessive or easy to exploit. ITrack Easy devices also leak their device ID and allow for unauthenticated modification of GPS data. Nut devices do not enforce authenticated pairing, and also leak session token information that could be used by an attacker to access accounts.
“80% of everything it did was over SSL except for 3 buttons on product,” Heiland said. “And every one passes a session token. When you authenticate with the product, it stays authenticated forever. It uses the same session token forever, unless you force the product to log out. Once the session token is compromised, which could easily happen, you have access to everything configured in Nut like PII, tracking data, friend data and more.”