Many GPS and location tracking services are vulnerable to a number of security flaws that could expose personally identifiable information, two security researchers have warned.
Vangelis Stykas and Michael Gruhn describe the series of flaws as 'trackmagedden' in a report into the key security problems they have found in many GPS tracking services.
These services are are used to harvest geolocation data from a range of connected devices, including kids trackers, car trackers and pet trackers, in order to enable their users to keep track of where they are.
The researchers warn that security flaws in a number of these services could be exploited, enabling the attackers to steal geolocation data from the people who use these services.
"We found vulnerabilities in the online services of (GPS) location tracking devices," said the researchers in a post detailing the vulnerabilities.
"These vulnerabilities allow an unauthorised third party (among other things) access to the location data of all location tracking devices managed by the vulnerable online services."
The researchers said vulnerabilities include exposed folders, unsecured API endpoints, insecure direct object reference flaws and easy-to-guess passwords.
By utilising these flaws, attackers can get access to information such as phone numbers, device IMEI and serial numbers, GPS coordinates and personal data.
Over the past few months, the researchers have been reaching out to potentially affected companies to ensure they understand the severity of these flaws.
They believe that many of these services could be using outdated versions of popular location tracking software ThinkRace, and urge them to stay up-to-date.
In many cases, companies have attempted to patch these flaws, but they end up re-appearing further down the line. The researchers said companies need to keep checking for signs of these flaws.
"There have been several online services that stopped being vulnerable to our automated proof of concept code but, because we never received a notification by a vendor that they fixed them, it could be that the services came back online again as vulnerable," the said.
Stykas and Gruhn made several suggestions to help users mitigate these security flaws. One of them is to remove as much potentially personally identifiable data from the affected devices as possible.
"If you have personalised your device, for example, given it a custom name (such as your car brand), or assigned phone numbers via the online service, you should change and/or delete those," they advised.
"While the location history remains on the websites, there is no history (that we know of) for names or phone numbers assigned to devices.
"This way you are at least able to delete some of your private information from the still vulnerable online services."
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws