CERTVU:974055iTrack Easy contains multiple vulnerabilities
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.5%
Overview
iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication.
Description
CWE-200: Information Exposure - CVE-2016-6542
The iTrack device tracking ID number is the device’s BLE MAC address. It can be obtained by being in range of the device.
CWE-799: Improper Control of Interaction Frequency - CVE-2016-6543
A captured MAC/device ID can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.
CWE-306**:**Missing Authentication for Critical Function - CVE-2016-6544
getgps data can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.
CWE-613: Insufficient Session Expiration - CVE-2016-6545
Session cookies are not used for maintaining valid sessions. The user’s password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request.
CWE-313:**** Cleartext Storage in a File or on Disk - CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.
The CVSS Score below represents CVE-2016-6544
Impact
These vulnerabilities may allow an unauthenticated, remote attacker to track a user’s location without their consent.
Solution
The CERT/CC is currently unaware of a practical solution to this problem.
Use with caution
Until the vendor supplies a patch, the user should practice caution as to where these devices are used.
Vendor Information
974055
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
iTrack Affected
Notified: September 13, 2016 Updated: October 25, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.8 | AV:N/AC:M/Au:N/C:P/I:P/A:– |
| Temporal | 5.8 | E:ND/RL:ND/RC:ND |
| Environmental | 1.4 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
References
- <http://www.ieasytec.com/>
- <https://community.rapid7.com/community/infosec/blog/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities>
Acknowledgements
Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.
This document was written by Trent Novelly.
Other Information
| CVE IDs: | CVE-2016-6542, CVE-2016-6543, CVE-2016-6544, CVE-2016-6545, CVE-2016-6546 |
|---|---|
| Date Public: | 2016-10-25 Date First Published: |
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
73.5%