'Every step your anti-theft tracker takes – I'll be watching you'

Phone-sync'd widgets open folks to stalker risk

Tracking widgets that you stick on your keys and wallet so you don't lose them are riddled with security vulnerabilities, we're told.

These tracker devices allow folks to locate valuable items and find them again. They communicate over Bluetooth with iOS and Android handhelds, so if they go out of range of each other, a little alert can go off on your phone or tablet to let you know something's up.

Researchers at Rapid7 have discovered that many of these gadgets store their cloud account passwords in cleartext. Unauthenticated pairing is another security issue.

Other vulnerabilities in the software enable hackers to gain access a person's GPS location records. Finally, web-based weaknesses would allow a malicious actor to gain full access to a user’s account.

Three devices were assessed: the TrackR Bravo from TrackR; the iTrack Easy from KKMCM; and Nut from Zizai Tech. TrackR Bravo presented the worst security risk but all exhibited multiple problems.

The TrackR Bravo – the most widely used device of its type – could easily to abused by stalkers, Rapid7 warns.

An attacker could use the devices to stalk someone. If someone is using the device (TrackR Bravo) a malicious actor could discover users with these devices in a crowd, using easily available bluetooth lower energy (BLE) apps for their smart phone.

Once a vulnerable device is found in a crowd, a malicious actor could narrow it down to the actual person by accessing the device to set off the device alarm. The malicious actor could then track the owner of the device (TrackR Bravo) by using the device ID, also available via BLE, to track them online using there GPS coordinates generated by the device/mobile app functions.

To some extent the iTrack Easy device is also vulnerable to a similar scenario.

Smiles for Tiles

The Tile App from Tile, Inc was also examined, but no flaws were discovered, aside from a minor screenshot-caching issue, which presented no security issue.

As for the other devices a product upgrade is likely to be needed to mend the flaws. Rapid7 “researchers do not expect these devices to be patchable … hopefully future releases of this product will address these issues”.

El Reg invited TrackR, KKMCM and Zizai Tech to comment but at time of writing we have yet to hear back from any of the IoT kit suppliers. ®

Biting the hand that feeds IT © 1998–2021