Users' privacy is threatened by vulnerabilities included in the system of services using GPS location information

There are many functions and services that use location information by GPS for smartphones, but due to the vulnerability included in the online service system that tracks location information, the user's location information and the information that identifies the user are stored in malicious It is warned that there is a danger of being collected by a third party.

Multiple vulnerabilities in the online services of (GPS) location tracking devices
https://0x0.li/trackmageddon/#advisories

Security experts Vangelis Stykas and Michael Gruhn have released a report on the vulnerability that exists in online services that utilize GPS location tracking function "Trackmageddon". In the location information service used to track the location information of young children, pets, cars, etc., we collect geolocation data from the terminal, create a database, and perform various location information services. However, according to the two experts, there are many vulnerabilities in the online tracking service system that manages the database, and it is said that there is a danger that data specifying the user's location will be collected from the outside . Specifically, it seems to have problems such as poor password setting, which is too easy to guess such as "123456", open state folder, unsafe API etc.

Mr. Stykas informed us that the system is vulnerable to the system and that the system is defective for the tracking service that can be attacked. However, after a few months of notice, the number of services that applied the patch that addressed the risk of data leakage was limited to just a few, and other services are still left in a state of risk of information leakage is.

That's why Trackmageddon has a problem tracking service by name. It is said that it aims to urge service providers to respond by noting that they contain vulnerabilities.

Service that vulnerability was eliminated by modification
·https://www.one2trackgps.com(Fixed November 27, 2017)
·http://kiddo-track.com(Fixed November 27, 2017)
·http://www.amber360.com(Fixed November 27, 2017)
·http://tr.3g-elec.com(Modified December 18, 2017, delete subdomain)
·http://manage.5gcity.com(Revised January 4, 2018)
·http://grapi.5gcity.com(Revised January 4, 2018)

Probably corrected service (but no fixed report)
·http://www.nikkogps.com(Domain disappeared on November 30, 2017)
·http://www.igps.com.my
·http://app.gpsyeah.com(API usage restriction)
·http://gps.nuoduncar.com(Code 500 error)
·http://hytwuliu.cn(Server timeout)
·http://www.tourrun.net(Server timeout)
·http://vnetgps.net(API changed to null data)
·http://www.999gpstracker.com
·http://www.trackerghana.com
·http://www.suntrackgps.com
·http://www.sledovanivozidel.eu
·http://www.response1gps.com
·http://www.inosiongps.com
·http://www.carzongps.com

◆ Corresponding service
·http://wagps.net(Still accessible to API)
·http://www.wagps.net(Still accessible to API)
·http://love.iotts.net(Still accessible to API)

◆ Services with vulnerabilities
·http://www.gps958.com
·http://m.999gps.net
·http://www.techmadewatch.eu
·http://www.jimigps.net
·http://www.9559559.com
·http://www.goicar.net
·http://www.tuqianggps.com
·http://vitrigps.vn
·http://www.coogps.com
·http://greatwill.gpspingtai.net
·http://www.cheweibing.cn
·http://car.iotts.net
·http://carm.gpscar.cn
·http://watch.anyixun.com.cn
·http://www.007hwz.com
·http://www.thirdfang.com
·http://www.wnxgps.cn
·http://binding.gpsyeah.net
·http://chile.kunhigps.cl
·http://portal.dhifinder.com
·http://www.bizgps.net
·http://www.gpsmarvel.com
·http://www.mygps.com.my
·http://www.mygpslogin.net
·http://www.packet-v.com
·http://login.gpscamp.com
·http://www.tuqianggps.net
·http://tuqianggps.net
·http://www.dyegoo.net
·http://tracker.gps688.com
·http://www.aichache.cn
·http://gtrack3g.com
·http://www.ciagps.com.tw
·http://www.fordonsparning.se
·http://www.gm63gps.com
·http://yati.net
·http://www.mytracker.my
·http://www.istartracker.com
·http://www.twogps.com
·http://www.gpsyue.com
·http://www.xmsyhy.com
·http://www.icaroo.com
·http://mootrack.net
·http://spaceeyegps.com
·http://www.freebirdsgroup.com
·http://www.gpsmitramandiri.com
·http://www.silvertrackersgps.com
·http://www.totalsolutionsgps.com
·http://567gps.com
·http://gps.tosi.vn
·http://gps.transport-duras.com
·http://thietbigps.net
·http://mygps.co.id
·http://www.gpsuser.net
·http://www.mgoogps.com
·http://www.gpscar.cn
·http://www.aichache.net
·http://www.gpsline.cn
·http://2.tkstargps.net
·http://ephytrack.com
·http://www.squantogps.com
·http://www.tkgps.cn
·http://vip.hustech.cn
·http://www.blowgps.com
·http://www.zjtrack.com
·http://fbgpstracker.com
·http://gps.gpsyi.com
·http://www.crestgps.com
·http://www.spstrackers.com
·http://en.gps18.com
·http://en.gpsxitong.com
·http://gps18.com
·http://en2.gps18.com
·http://ry.gps18.com
·http://www.ulocate.se
·http://classic.gpsyeah.com
·http://www.gpsyeahsupport.top
·http://gpsui.net
·http://vmui.net

By linking GPS position information with user information that can be obtained from the terminal, it has a big influence on the privacy of the user, so when you use the service using the GPS tracking function, it is important to also self-protect from the user side . Therefore, in the report, because there are many services that are password-set to "123456" by default, the user is urging the user to reconfigure. In addition, users of services whose vulnerabilities are still neglected are encouraged to delete data as much as possible.