iTrack Easy contains multiple vulnerabilities

2016-10-25T00:00:00
ID VU:974055
Type cert
Reporter CERT
Modified 2016-10-25T15:13:00

Description

Overview

iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication.

Description

CWE-200: Information Exposure - CVE-2016-6542

The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the device.

CWE-799: Improper Control of Interaction Frequency - CVE-2016-6543
A captured MAC/device ID can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.

CWE-306: Missing Authentication for Critical Function - CVE-2016-6544
getgps data can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.

CWE-613: Insufficient Session Expiration - CVE-2016-6545
Session cookies are not used for maintaining valid sessions. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request.

CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

The CVSS Score below represents CVE-2016-6544


Impact

These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.


Solution

The CERT/CC is currently unaware of a practical solution to this problem.


Use with caution

Until the vendor supplies a patch, the user should practice caution as to where these devices are used.


Vendor Information

974055

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ iTrack

Notified: September 13, 2016 Updated: October 25, 2016

Status

__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:--
Temporal | 5.8 | E:ND/RL:ND/RC:ND
Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • <http://www.ieasytec.com/>
  • <https://community.rapid7.com/community/infosec/blog/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities>

Acknowledgements

Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: | CVE-2016-6542, CVE-2016-6543, CVE-2016-6544, CVE-2016-6545, CVE-2016-6546
---|---
Date Public: | 2016-10-25
Date First Published: | 2016-10-25
Date Last Updated: | 2016-10-25 15:13 UTC
Document Revision: | 21