Personal Tracking System Exposes Whereabouts, User Data

A recent security advisory for the EV-07S GPS tracker device shows technical and design flaws that allow remote resets, access to user data and access to sensitive data it sends to the server.

Produced by Eview, EV-07S GPS tracker is made to track children, medical patients or the elderly in real time. It is also used by the Colombian government as a “panic button” for individuals working in high-risk environments (activists, journalists) at risk of attacks or kidnapping.

Deral Heiland of Rapid7 discovered the problems as part of an independent security audit requested by the Associated Press. The researcher revealed seven vulnerabilities, exploitable via different vectors. Three of them can be exploited without authentication and lead to serious risks, including remote reset of the device to factory defaults, altering real tracking data and access to user information (TrackerID, device IMEI, account name).

The advisory notes that, to reset the device to factory settings, an attacker would only need the phone number registered with the targeted EV-07S and then to send the “RESET” command via SMS. Short messages can then be used to reconfigure the tracker to the attacker’s needs. This is actually the intended behavior of the manufacturer, as described in the user’s manual.

While assessing the security of EV-07S, Heiland found that it communicates with the web application over an unencrypted channel, sending the device IMEI and GPS data in plain text. Not only could attackers harvest these details, but they could also inject false data and make the owner of the panic button seem to be at an incorrect location.

“A malicious actor can gain access to user data including account name, TrackerID and device IMEI id. This is done by posting userId=5XXXX&trackerName=&type=allTrackers with a the target’s userID number to the API  at http://www.smart-tracking.com/web/searchTrackerList.do,” reads the Rapid7 report. Someone logged into their account can also access configuration and GPS information of other users of the service, by simply guessing a valid userID, IMEI or TrackerID.

Eview’s tracker is equipped with a wireless chip to send the data out, a microphone and receiver, and an SOS button to call for help in case of emergency. Given these capabilities, it is easy to suspect that the device can be used to listen in on the targets, not just learn or modify their physical location.

Photo credit: Eview