iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication.
CWE-200: Information Exposure - CVE-2016-6542
The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the device.
CWE-799: Improper Control of Interaction Frequency - CVE-2016-6543
A captured MAC/device ID can be registered under multiple user accounts allowing access to
getgps GPS data, which can allow unauthenticated parties to track the device.
CWE-306: Missing Authentication for Critical Function - CVE-2016-6544
getgps data can be modified without authentication by setting the data using the
parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.
CWE-613: Insufficient Session Expiration - CVE-2016-6545
Session cookies are not used for maintaining valid sessions. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request.
CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the
cache.db file. The base64 encoding format is considered equivalent to cleartext.
The CVSS Score below represents CVE-2016-6544
These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.
The CERT/CC is currently unaware of a practical solution to this problem.
Use with caution
Until the vendor supplies a patch, the user should practice caution as to where these devices are used.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Vendor has issued information
__ Sort by: Status Alphabetical
Affected Unknown __ Unaffected
Notified: September 13, 2016 Updated: October 25, 2016
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector
Base | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:--
Temporal | 5.8 | E:ND/RL:ND/RC:ND
Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND
Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.
This document was written by Trent Novelly.
CVE IDs: | CVE-2016-6542, CVE-2016-6543, CVE-2016-6544, CVE-2016-6545, CVE-2016-6546
Date Public: | 2016-10-25
Date First Published: | 2016-10-25
Date Last Updated: | 2016-10-25 15:13 UTC
Document Revision: | 21