iTrack Easy contains multiple vulnerabilities

ID VU:974055
Type cert
Reporter CERT
Modified 2016-10-25T15:13:00



iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication.


CWE-200: Information Exposure - CVE-2016-6542

The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the device.

CWE-799: Improper Control of Interaction Frequency - CVE-2016-6543
A captured MAC/device ID can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.

CWE-306: Missing Authentication for Critical Function - CVE-2016-6544
getgps data can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.

CWE-613: Insufficient Session Expiration - CVE-2016-6545
Session cookies are not used for maintaining valid sessions. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request.

CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

The CVSS Score below represents CVE-2016-6544


These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.


The CERT/CC is currently unaware of a practical solution to this problem.

Use with caution

Until the vendor supplies a patch, the user should practice caution as to where these devices are used.

Vendor Information


Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ iTrack

Notified: September 13, 2016 Updated: October 25, 2016


__ Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
Base | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:--
Temporal | 5.8 | E:ND/RL:ND/RC:ND
Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND


  • <>
  • <>


Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: | CVE-2016-6542, CVE-2016-6543, CVE-2016-6544, CVE-2016-6545, CVE-2016-6546
Date Public: | 2016-10-25
Date First Published: | 2016-10-25
Date Last Updated: | 2016-10-25 15:13 UTC
Document Revision: | 21