![]() The TrackR ID is the manufacturer device ID, which is constructed of a manufacture identifier of four zeroes (0000), followed by the BLE MAC address in reverse (0f7c-XXXXXXd9) for a combined TrackR ID of 00000f7c-XXXXXXd9. The TrackR device ID can be obtained by being in close proximity to a TrackR device and utilizing a Bluetooth low energy (BLE) application to monitor for BLE devices. Users are strongly advised to avoid reusing passwords between services whenever possible in order to limit the damaging effects of accidental or intentional exposure of account credentials. While some local storage is likely necessary for normal functionality, such information should be stored in an encrypted format that requires device authentication. Mitigation for R7-2016-18.1Ī vendor-supplied patch should configure the mobile app to prevent storing potentially sensitive information such as passwords in cleartext. Given typical user habits of password reuse, this sort of password disclosure can impact other online services. Examining the cache.db file reveals the cleartext password as shown in Figure 1. R7-2016-18.1: Cleartext Password (CVE-2016-6538)Įxamination of the TrackR Bravo mobile application running on an iPad revealed that the account password used to authenticate to the cloud API was stored in cleartext in the cache.db. The TrackR mobile app also caches screenshots when minimized while no critical information appears to be exposed in this way, it is a best practice to clear unique data and use a generic application image for context switching. R7-2016-18: Multiple Vulnerabilities in Trackr Bravo Vulnerability ![]() Most of the vulnerabilities described are only exploitable by an adversary who is in close physical proximity to the affected devices the effective range of an exploit is noted on the summary table for each vendor. Until vendor-supplied fixes are available, the risks associated with these vulnerabilities should be weighed against the benefits of continuing to use these tracker devices and applications. Users concerned about these issues should reach out to their respective vendors using their normal support mechanisms, and update their mobile applications when fixes are released. Vulnerability Detailsįor each product, vulnerability details and possible mitigations are discussed below. was also examined, but none of these issues were discovered with this product, aside from a minor screenshot caching issue which does not appear to reveal private information. ![]() The devices examined were the TrackR Bravo from TrackR, the iTrack Easy from, and the Nut from Zizai Tech. The tracking hardware tokens themselves do not maintain network connections, but rely on associated smartphone apps to report geolocation data. These devices pair with the user's smartphone via Bluetooth, and can alert the user when the device moves out of range. Product Descriptionīluetooth Low Energy (BLE) device trackers are small hardware tokens that are designed to be attached to personal items such as keyrings, wallets, or purses. and disclosed in accordance with Rapid7's disclosure policy. These issues were discovered by Deral Heiland and Adam Compton of Rapid7, Inc. The table below briefly summarizes the twelve vulnerabilities identified across three products. Attackers can leverage these vulnerabilities to locate individual users' devices, and in some cases, alter geolocation data for those devices. While examining the functionality of three vendors' device tracker products, a number of issues surfaced that leak personally identifying geolocation data to unauthorized third parties. Last updated at Wed, 00:06:37 GMT Executive Summary ![]()
0 Comments
Leave a Reply. |