Original Release Date: 2016-10-25 | Last Revised: 2016-10-27
Overview
TrackR Bravo contains multiple vulnerabilities including sensitive information exposure and missing authentication.
Description
CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6538
The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.
CWE-200: Information Exposure - CVE-2016-6539 The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the device ID. The ID can be used to track devices.
CWE-306: Missing Authentication for Critical Function - CVE-2016-6540 Unauthenticated access to the cloud-based service maintained by the vendor is allowed for querying or sending GPS data for any Trackr device by using the tracker ID number which can be discovered as described in CVE-2016-6539.
CWE-306: Missing Authentication for Critical Function - CVE-2016-6541 TrackR Bravo device allows unauthenticated pairing, which enables unauthenticated connected applications to write to various device attributes.
The CVSS Score below represents CVE-2016-6540
Impact
These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.
Solution
Apply an update
Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address these vulnerabilities. See the vendor statement for more details.
Use with caution
If a user is unable to apply an update, they should practice caution as to where these devices are used.
Notified: September 13, 2016 Updated: October 27, 2016
Status
Affected
Vendor Statement
We work in a fast-moving and exciting market, so we are constantly trying to improve our product and satisfy our customers.
Like other IOT companies large and small, we also have to keep pace with the ever-evolving threats which are redefining IT security. So we want to thank the team at Rapid7 for helping us pinpoint our efforts in this area.
Regarding the claim that retrieve TrackR doesn’t require authentication, we knew about this issue and fixed it several months ago. After that time, the deprecated call remained online, but was no longer in use by any apps. We are grateful that Rapid7 brought this possible point of confusion to our attention; as of yesterday, that call has been completely removed but no consumers have had access since we became aware of this issue in the spring.
Regarding the claim that passwords are stored in plain text on iOS datastore, as soon as we became aware of this yesterday, we took action with an iOS update already submitted.
Regarding the claim that sending TrackR data calls aren’t secure, as soon as we became aware of this yesterday, our engineering team designed a fix that will be applied by the end of next week (week of October 31st).
Regarding the claim that TrackR broadcasts a unique identifier, this is by design. This enables the TrackR app to be more power efficient for conducting Crowd GPS updates. This is a function common in all tracking devices with Crowd GPS capabilities. There is no user data stored in the device and enabling connection only allows for nearby users to ring the device. When the device is nearby the user, the device doesn’t advertise.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.