Trackmageddon – Location Tracking Services (GPS) Vulnerabilities Allow to Access Unauthorized GPS Location Data

Security researchers discovered multiple vulnerabilities dubbed “Trackmageddon” which affects GPS services and online location tracking devices.

The vulnerabilities with GPS location tracking devices allow an unauthorized access to the location data that collected by all of the location tracking devices.

With the Trackmageddon vulnerability, attackers can get access to the location, model/type name, assigned phone number, and IMEI number.

Researchers said with gpsui.net and vmui.net, it requires the attacker to be logged in as a user and he sees any user data with this vulnerability and for other providers even Authentication not required.

Trackmageddon: https://t.co/r5T9EljM53

Vulnerabilities in online services of (GPS) location tracking devices allow unauthorized access to location data.

Unfortunately, we were unable to contact all vendors for fixes.
Still affected users should stop using the services.

— mich (@0x6d696368) January 2, 2018

By using the test devices they able to pull the access location history, activate/deactivate the alarm and to send commands, on some online services directory listings allow attackers to download the data.

“As long as the online service managing your device is still vulnerable changing your password will not matter and there is unfortunately not much you can currently do to protect yourself besides stopping to use the device.”

Researchers have no clues when the vulnerability to be fixed, they have released a number of still online vulnerable services, Pending fixes and fixed one’s.

Also Read:  phpMyAdmin CSRF Vulnerability Allows An Attacker to Delete Records From Database

Unfixed GPS Location Tracking Services:

• http://www.gps958.com
• http://m.999gps.net
• http://www.techmadewatch.eu
• http://www.jimigps.net
• http://www.9559559.com
• http://www.goicar.net
• http://www.tuqianggps.com
• http://vitrigps.vn
• http://www.coogps.com
• http://greatwill.gpspingtai.net
• http://www.cheweibing.cn
• http://car.iotts.net
• http://carm.gpscar.cn
• http://watch.anyixun.com.cn
• http://www.007hwz.com
• http://www.thirdfang.com
• http://www.wnxgps.cn
• http://binding.gpsyeah.net
• http://chile.kunhigps.cl
• http://portal.dhifinder.com
• http://www.bizgps.net
• http://www.gpsmarvel.com
• http://www.mygps.com.my
• http://www.mygpslogin.net
• http://www.packet-v.com
• http://login.gpscamp.com
• http://www.tuqianggps.net
• http://tuqianggps.net
• http://www.dyegoo.net
• http://tracker.gps688.com
• http://www.aichache.cn
• http://gtrack3g.com
• http://www.ciagps.com.tw
• http://www.fordonsparning.se
• http://www.gm63gps.com
• http://yati.net
• http://www.mytracker.my
• http://www.istartracker.com
• http://www.twogps.com
• http://www.gpsyue.com
• http://www.xmsyhy.com
• http://www.icaroo.com
• http://mootrack.net
• http://spaceeyegps.com
• http://www.freebirdsgroup.com
• http://www.gpsmitramandiri.com
• http://www.silvertrackersgps.com
• http://www.totalsolutionsgps.com
• http://567gps.com
• http://gps.tosi.vn
• http://gps.transport-duras.com
• http://thietbigps.net
• http://mygps.co.id
• http://www.gpsuser.net
• http://www.mgoogps.com
• http://www.gpscar.cn
• http://www.aichache.net
• http://www.gpsline.cn
• http://2.tkstargps.net
• http://ephytrack.com
• http://www.squantogps.com
• http://www.tkgps.cn
• http://vip.hustech.cn
• http://www.blowgps.com
• http://www.zjtrack.com
• http://fbgpstracker.com
• http://gps.gpsyi.com
• http://www.crestgps.com
• http://www.spstrackers.com
• http://en.gps18.com
• http://en.gpsxitong.com
• http://gps18.com
• http://en2.gps18.com
• http://ry.gps18.com
• http://www.ulocate.se
• http://classic.gpsyeah.com
• http://www.gpsyeahsupport.top
• http://gpsui.net
• http://vmui.net

If your device is managed via gpsui.net or vmui.net your location history is only stored for the past 7 days. Hence, not using the device for 7 days is enough to delete your location history from the online service. Researchers added.

Researchers believe that the original developer of the location tracking was Thinkrace the seller of license, so they communicated to them and the vendor fixed the issues.