Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

'Every step your anti-theft tracker takes – I'll be watching you'

Phone-sync'd widgets open folks to stalker risk

Tracking widgets that you stick on your keys and wallet so you don't lose them are riddled with security vulnerabilities, we're told.

These tracker devices allow folks to locate valuable items and find them again. They communicate over Bluetooth with iOS and Android handhelds, so if they go out of range of each other, a little alert can go off on your phone or tablet to let you know something's up.

Researchers at Rapid7 have discovered that many of these gadgets store their cloud account passwords in cleartext. Unauthenticated pairing is another security issue.

Other vulnerabilities in the software enable hackers to gain access a person's GPS location records. Finally, web-based weaknesses would allow a malicious actor to gain full access to a user’s account.

Three devices were assessed: the TrackR Bravo from TrackR; the iTrack Easy from KKMCM; and Nut from Zizai Tech. TrackR Bravo presented the worst security risk but all exhibited multiple problems.

The TrackR Bravo – the most widely used device of its type – could easily to abused by stalkers, Rapid7 warns.

An attacker could use the devices to stalk someone. If someone is using the device (TrackR Bravo) a malicious actor could discover users with these devices in a crowd, using easily available bluetooth lower energy (BLE) apps for their smart phone.

Once a vulnerable device is found in a crowd, a malicious actor could narrow it down to the actual person by accessing the device to set off the device alarm. The malicious actor could then track the owner of the device (TrackR Bravo) by using the device ID, also available via BLE, to track them online using there GPS coordinates generated by the device/mobile app functions.

To some extent the iTrack Easy device is also vulnerable to a similar scenario.

Smiles for Tiles

The Tile App from Tile, Inc was also examined, but no flaws were discovered, aside from a minor screenshot-caching issue, which presented no security issue.

As for the other devices a product upgrade is likely to be needed to mend the flaws. Rapid7 “researchers do not expect these devices to be patchable … hopefully future releases of this product will address these issues”.

El Reg invited TrackR, KKMCM and Zizai Tech to comment but at time of writing we have yet to hear back from any of the IoT kit suppliers. ®

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like