Software Engineering Institute

CWE-200: Information Exposure - CVE-2016-6542

The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the device.

CWE-799: Improper Control of Interaction Frequency - CVE-2016-6543
A captured MAC/device ID can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.

CWE-306: Missing Authentication for Critical Function - CVE-2016-6544
getgps data can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.

CWE-613: Insufficient Session Expiration - CVE-2016-6545
Session cookies are not used for maintaining valid sessions. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request.

CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.


The CVSS Score below represents CVE-2016-6544

These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.

The CERT/CC is currently unaware of a practical solution to this problem.

Use with caution

Until the vendor supplies a patch, the user should practice caution as to where these devices are used.