CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
52.1%
TrackR Bravo contains multiple vulnerabilities including sensitive information exposure and missing authentication.
CWE-313**:**Cleartext Storage in a File or on Disk - CVE-2016-6538
The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db
file.
** CWE-200: Information Exposure** - CVE-2016-6539
The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the device ID. The ID can be used to track devices.
CWE-306: Missing Authentication for Critical Function - CVE-2016-6540
Unauthenticated access to the cloud-based service maintained by the vendor is allowed for querying or sending GPS data for any Trackr device by using the tracker ID number which can be discovered as described in CVE-2016-6539.
CWE-306: Missing Authentication for Critical Function - CVE-2016-6541
TrackR Bravo device allows unauthenticated pairing, which enables unauthenticated connected applications to write to various device attributes.
The CVSS Score below represents CVE-2016-6540
These vulnerabilities may allow an unauthenticated, remote attacker to track a userβs location without their consent.
Apply an update
Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address these vulnerabilities. See the vendor statement for more details.
Use with caution
If a user is unable to apply an update, they should practice caution as to where these devices are used.
617567
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: September 13, 2016 Updated: October 27, 2016
Affected
We work in a fast-moving and exciting market, so we are constantly trying to
improve our product and satisfy our customers.
Like other IOT companies large and small, we also have to keep pace with the
ever-evolving threats which are redefining IT security. So we want to thank the
team at Rapid7 for helping us pinpoint our efforts in this area.
Regarding the claim that retrieve TrackR doesnβt require authentication, we
knew about this issue and fixed it several months ago. After that time, the
deprecated call remained online, but was no longer in use by any apps. We are
grateful that Rapid7 brought this possible point of confusion to our attention;
as of yesterday, that call has been completely removed but no consumers have
had access since we became aware of this issue in the spring.
Regarding the claim that passwords are stored in plain text on iOS datastore,
as soon as we became aware of this yesterday, we took action with an iOS update
already submitted.
Regarding the claim that sending TrackR data calls arenβt secure, as soon as we
became aware of this yesterday, our engineering team designed a fix that will
be applied by the end of next week (week of October 31st).
Regarding the claim that TrackR broadcasts a unique identifier, this is by
design. This enables the TrackR app to be more power efficient for conducting
Crowd GPS updates. This is a function common in all tracking devices with Crowd
GPS capabilities. There is no user data stored in the device and enabling
connection only allows for nearby users to ring the device. When the device is
nearby the user, the device doesnβt advertise.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector |
---|---|---|
Base | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:N |
Temporal | 5.8 | E:ND/RL:ND/RC:ND |
Environmental | 1.4 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.
This document was written by Trent Novelly.
CVE IDs: | CVE-2016-6538, CVE-2016-6539, CVE-2016-6540, CVE-2016-6541 |
---|---|
Date Public: | 2016-10-25 Date First Published: |
CVSS2
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
ADJACENT
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
52.1%