A team of researchers from Rapid7 have disclosed a number of critical security vulnerabilities found within Internet of Things (IoT) and connected home devices.
The products in question are the TrackR Bravo from TrackR, a coin-sized, lightweight tracker which utilizes Bluetooth and GPS technology to help you track down missing items such as keys, the iTrack Easy from KKMCM and the Nut tracker from Zizai Tech.
While these devices are compatible with both Apple’s iOS and Google’s Android mobile operating systems, the bugs have been found in app versions suitable for the iPad and iPhone.
Rapid7 said on Tuesday the TrackR Bravo contains a total of four important security issues. When running on an iPad, the TrackR Bravo mobile application stores the account password used to authenticate to the cloud APUI in cleartext, and to make matters worse, the app also allows unauthenticated access to GPS data, whether queried or sent.
Malicious attackers can access this data from any web browser without user credentials.
“Authentication appears to only be used to sync data back to your mobile application during application install/reinstall,” the researchers note.
In addition, both the device tracking ID is exposed and can be obtained through Bluetooth if an attacker is close by, and as the TrackR Bravo allows unauthenticated pairing, attackers can link up to the device to modify data.
There are five security issues of note relating to the iTrack Easy. The device tracking ID can be snatched up without permission when in close proximity to the iTrack through Bluetooth, a device can be registered under multiple user accounts improperly — which then allows attackers to gain access to GPS data when devices are in close proximity to each other to track users — and this information can be modified without authentication checks.
The device also has a problem with session management. No session cookies are used to maintain valid user sessions, and if this data is captured through a Man-in-The-Middle (MiTM) attack, it can be used to compromise a user’s account.
In addition, account passwords used to authenticate to the cloud are encoded and stored poorly.
Zizai Tech’s Nut tracker was found to contain three security flaws. The first, contained within the Nut iPad mobile application, is caused by the fact the app stores account passwords in cleartext.
The second issue is a vulnerability which allows session tokens to be leaked due to communication between the web and app taking place in through an unsecured, non-SSL tunnel. Attackers could use this flaw to launch a MiTM attack to capture this data and gain full access to user accounts.
The final bug is a problem caused by the Nut app permitting unauthenticated Bluetooth devices to write the device name’s attributes. This allows the device name to be changed by those other than registered users.
Tile Inc’s The Tile tracker has also been examined, but was free of any major security problems aside from a screenshot caching issue the researchers deem “minor.”
CVE numbers are yet to be assigned for the disclosed security problems.
These trackers might be small, innoculous IoT devices, but the risk to security as a whole is a problem vendors should take seriously. As the recent case of the Mirai botnet has shown, the smallest IoT devices can be exploited through vulnerabilities to take down far larger targets.