Researchers find a string of security vulnerabilities affecting GPS services

'Trackmageddon' flaw could enable attackers to surreptitiously spy on users and steal personally identifiable data

GPS and location-tracking services could be vulnerable to a string of newly discovered vulnerabilities, dubbed "trackmageddon", according to two security researchers.

In a paper, Vangelis Stykas and Michael Gruhn claim that key security problems could expose users of GPS services to tracking by third parties.

The services are described as databases that harvest geolocation data from a range of connected devices, including child trackers, car trackers and pet trackers.

Product manufacturers tap into these services to implement GPS tracking in their own products and services, but the researchers have warned that cyber criminals - and state threat actors - could potentially launch attacks against them.

Thanks to a range of security issues, attackers have the ability to get into these devices and steal geolocation data from the people who use these services.

"We found vulnerabilities in the online services of (GPS) location tracking devices," claimed Stykas and Gruhn in their research paper.

They continued: "These vulnerabilities allow an unauthorised third party (among other things) access to the location data of all location tracking devices managed by the vulnerable online services."

The researchers added that the vulnerabilities include exposed folders, unsecured API endpoints, insecure direct object reference flaws and easy-to-guess passwords.

By taking advantage of these flaws, attackers can get access to personally identifiable information, such as phone numbers, device IMEI and serial numbers, GPS coordinates and other personal data.

Over the past few months, the researchers have contacted the potentially affected companies to warn them of the severity of these flaws.

They believe that many of these services could be using outdated versions of popular location tracking software ThinkRace, and urge them to stay up-to-date.

In many cases, companies have attempted to patch these flaws, but they end up re-appearing further down the line. The researchers said companies need to keep checking for signs of these flaws.

"There have been several online services that stopped being vulnerable to our automated proof of concept code, but because we never received a notification by a vendor that they fixed them, it could be that the services come back online again as vulnerable," the said.

Stykas and Gruhn have made several suggestions for users of to avoid these flaws, too. One of them is to remove as much data from the affected device as possible.

"If you have personalised your device, for example, given it a custom name (such as your car brand), or assigned phone numbers via the online service, you should change and/or delete those," they suggested.

"While the location history remains on the websites, there is no history (that we know of) for names or phone numbers assigned to devices.

"This way you are at least able to delete some of your private information from the still vulnerable online services."