Recently, in the news of the exposure of the many by the GPS positioning device, tracking the abduction of the event http://news.xinhuanet.com/legal/2015-11/15/c_128429526_2.htm in. Many users have to consult, there is no method for detecting it? So in the market to buy some GPS positioning equipment, the study found the GPS positioning system of background using a common set of procedures, its Cloud Platform on the presence of multiple high-risk vulnerabilities, an attacker could exploit the vulnerability can be positioned to use the device of any user or the vehicle's current position, history trajectory, and even can be remotely cut off the vehicle oil-Electric. The user using a GPS to locate items, the personnel are very valuable if such a platform there is a security vulnerability, but the location information exposed to criminals, which will be for social cause a very big impact. 0x01 introduction We in the Taobao search on a gps positioning device, and found that the vast majority of sellers are selling the mainstream of the gps positioning system are the same set of procedures, are subject to the vulnerability. ! The system is substantially the principle and the architecture is as follows: ! In the GPS positioning apparatus is equipped with a 3G mobile phone card, the positioning apparatus acquires the current position coordinates via the 3g network transmission to the cloud monitoring platform, the user through the pc or mobile device log on the monitoring platform, you can locate the binding on their own account the location of the device. 0x02 vulnerability details Following this set on deal 8 0 0 0+, the cumulative evaluation of more than 2 2 0 0 0 positioning device, for example. ! Which Cloud Platform to use. NET development, the login interface is as follows: ! For Resellers, enter the account password can control the account under all the equipment, for the General user, select the input the IMEI and the password may be positioned a single location of the device. Through the study found, in its Cloud Platform, the presence of a large number of not authorized to access the webservice interface, we adopted the Protocol Specification calls these interfaces, it can access any user's information, change their password, or even to locate its position. ! ! Through the interface the administrator password is initialized, then the login view can be seen, only this one platform, there are more than 2 5 million of the devices, the current online device it has 2. 7 million. ! Can be positioned directly to these device specific location You can get to use the equipment of vehicles and personnel information, phone, license plate number, name, etc. ! You can navigate to their current vehicle to the specific location: ! Can also through the historical data analysis of vehicle trajectory: ! You can even direct the remote cut off the vehicle oil-Electric: ! Through further research we found that the system of webservice interface there is also thesql injectionvulnerability, by in the soap message to insert malicious data, and we can even direct control of the server. ! ! 0x03 vulnerability The study found that commercial GPS positioning program amount is very large, users all over China, Europe, the Middle East, Africa, Southeast Asia and other regions. ! Also includes some of the Middle East, war-torn regions all prefer to use GPS tracking. Here it is reflected out of the GPS application scenarios. ! ! ! !