{"id":25086,"date":"2024-08-19T08:10:05","date_gmt":"2024-08-19T16:10:05","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2024\/08\/19\/news-18816\/"},"modified":"2024-08-19T08:10:05","modified_gmt":"2024-08-19T16:10:05","slug":"news-18816","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2024\/08\/19\/news-18816\/","title":{"rendered":"Hacked GPS tracker reveals location data of customers"},"content":{"rendered":"\n

Stalkerware researcher maia arson crimew strikes again<\/a>. Big time.<\/p>\n

We know<\/a> maia as a researcher that loves to go after stalkerware peddlers, which Malwarebytes\u2014as one of the founding members of the\u00a0Coalition Against Stalkerware<\/a>\u2014loves to see.<\/p>\n

This time the target company, Tracki, is one selling GPS trackers and doesn\u2019t hesitate to explicitly market itself as a device for spying on a spouse or other family member. Tracki devices are sold by some major telecommunication companies, sometimes under the Tracki brand or sometimes under their own label.<\/p>\n

Tracki\u2019s mother company Trackimo\u2014hey we\u2019re not the ones that made that name up\u2014co-owns a subsidiary called watchinU that offers a Nickelodeon-branded smart watch for kids, the NickWatch, which is currently only available in the UK and Israel.<\/p>\n

The investigation into Tracki, besides uncovering a tangled web of companies, dubious websites, and false identities, also led to a data breach that maia says could possibly affect almost 12 million users.<\/p>\n

Researching the technology behind the tracker and the web portal for customers that want to see all their trackers on a map, maia found various hardcoded usernames and passwords used to load data from a number of administration and support tools.<\/p>\n

One of the tools, the Trackimo Troubleshooter, was designed for remote debugging of all Tracki and Trackimo devices, by showing the technical support agents practically all the data from any given device by just entering a device identification number.<\/p>\n

This \u201csimple internal support tool\u201d required no other authentication than logging in using a password that shared between Tracki and Trackimo employees. All you need to is a device id which follows a standardized format, so it looks like it\u2019s possible with a bit of scripting to grab all the relevant data from each device.<\/p>\n

Tracki support receives multiple subpoenas per week from local and federal law enforcement worldwide. Many are for stalking or harassment but also occasionally for other charges, including domestic violence, attempted murder, and murder. In all these cases, the victim was being tracked by using a Tracki device. maia says Trackimo is not only aware of these use cases, but actively assisted customers to set up nonconsensual tracking of individuals via its helpdesk.<\/p>\n

Worryingly, agencies and military programs in the US and other governments around the world use Tracki devices, typically for asset, personnel, and vehicle tracking.<\/p>\n

Our takeaway from this research is that by deciding to use stalkerware, of almost any kind, you are not the only one who might be able to follow the target. We have shown time<\/a> and time<\/a> again<\/a> that these companies do not invest as much in keeping their records secure as you would expect or hope.<\/p>\n

If you\u2019re curious about the companies and people behind them, please read maia\u2019s blog<\/a>. It contains a lot of juicy details.<\/p>\n

Check your digital footprint<\/h2>\n

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it\u2019s best to give the one you most frequently use) to our\u00a0free Digital Footprint scan<\/a>\u00a0and we\u2019ll give you a report and recommendations.<\/p>\n

\n
\n
\n

<\/a>SCAN NOW<\/a><\/p>\n<\/div>\n<\/div>\n<\/div>\n

\n

We don\u2019t just report on threats\u2014we remove them<\/strong><\/p>\n

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

A stalkerware researcher has found that Trackimo and its Tracki GPS tracker have some underlying major security flaws exposing location data. <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[32,5897],"class_list":["post-25086","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-news","tag-privacy"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=25086"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/25086\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=25086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=25086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=25086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}