It’s an IoT nightmare. One that is entirely preventable. Two researchers have disclosed problems with hundreds of vulnerable GPS services using open APIs and trivial passwords (123456), resulting in a multitude of privacy issues including direct tracking. Further, many of the vulnerable services have open directories exposing logged data.
For some, the vulnerabilities discovered and disclosed by Vangelis Stykas and Michael Gruhn aren’t new. They were disclosed during Kiwicon in 2015 by Lachlan Temple, who demonstrated flaws in a popular car tracking immobilization device.
However, the recent disclosure seriously widens the scope of the earlier research, including millions of devices on the market using A8 mini GPS trackers and S8 data line locators. Like many IoT gadgets, these devices are being sold by scores of white label re-sellers with little or no security.
Read more about the GPS tracking vulnerabilities on CSO.