tl;dr 🔗

A tracking system was leaking information about all the users, pictures, and information and location data from all the trackers.

Summary 🔗

Who:	Anonymous, let's call them Acme4
Severity level:	Medium
Reported:	May 2018
Reception and handling:	Good
Status:	Fixed
Reward:	A thank you
Issue:	Information leak with pictures, personal information and location data

Background 🔗

Acme4 sells a tracking chip intended to be used for dogs. There's a companion mobile app which is used to see the tracker on the map and send commands to it. It was a bit of a coincident that I noticed this system and took a closer look at it.

Approach (technical stuff) 🔗

Skip this part 🙈

The app 🔗

I never had physical access to a tracker, so the only entry point for me was the app itself.

I have my guide on how to crack Android apps which I take a quick glance at when doing this stuff. This was easy enough though. I downloaded the APK from apkmonk.com and decompiled it with javadecompilers.com. The end result was a an full access to the source code and resources.

Normally I would probably just have used a HTTP proxy to intercept the traffic, but in this case where I didn't have the necessary hardware (the tracker) I wouldn't be able to use all functions, so I needed the source code to discover all possible HTTP calls. Also the source code sometimes include hidden gems like unused endpoints, test servers and more.

I was a bit surprised by the how clean the code was and how it used modern patterns and libraries. The UI isn't that nice and often I find there to be a correlation..

The server API 🔗

With the app's source code I could try out the server communication. This wasn't exactly your regular REST API. While the data returned from the server was JSON, all of the calls were GET calls for all kinds of actions with the data in query string parameters - even the authentication. Of course this just make it much easier to play around using a desktop browser.

The search for adding friends had the classic "return everything" when searching for ___. There's nothing inherently wrong with that, but it isn't ideal, and also the search returned the ID, username, a display name, first name, last name and e-mail address of the users.

That open Amazon S3 bucket 🔗

I found all the pictures of the users in an open Amazon S3 bucket. Luckily most of the users are dogs. 😅 But still, some owners might upload pictures of themselves with their pet. Surely the owners don't expect the pictures to be lying around on the Internet.

The web site

In addition to the app I found a "my page" at the service's website, and this is where I struck gold. Most of the site's PHP scripts were available when logged in, but the scripts were located in a directory with open directory listing.

Using the PHP scripts it was possible to iterate through all of the registered trackers as the ID was based on an incremental integer. The combined tracker information I got from the scripts was ID, phone number (to the tracker SIM card), IMEI, display name and historical location data (latitude, longitude, address, direction).

The good news is that I didn't find any direct way of seeing which tracker belonged to which user. However, about 5% could be connected because of the display name of the tracker. Additionally, because of the incremental IDs, it was possible to pretty accurately estimate which tracker belonged to which user.

Security issues

One could systematically go through all users and all trackers and retrieve the following information: - Users: - Full name - E-mail address - Username - Display name - Trackers: - Display name - Location (latitude, longitude, direction, address) - IMEI - Phone number It was only possible to either estimate the owner of the tracker (based on incremental IDs) or - for 5% av of the trackers - assume a match based on display names. All pictures of the pets were available for download..

Reception and handling 🔗

Day zero 🔗

Night time Friday I sent an e-mail to the support address. I like to keep it short, but this was probably the longest description I've had to write in such an e-mail.

Day 3 🔗

Before lunch on Monday I got an e-mail thanking me for the report.

Day 4 🔗

Again before lunch, I got an e-mail telling me that everything should be fixed. So this was all pretty quickly taken care of.

Day X 🔗

While doing this write-up I saw - and reported - that the search for adding friends within the app still also returns e-mail addresses and still returns all users if searching for a special character. I hope that'll be fixed. Imagine Facebook giving away all users and their e-mail addresses that easily.

Anonymous you say? 🔗

I looked into the financial and other public information of this company. I also checked out social media and did a little general due diligence. Though the person behind the company might not do all coding and support personally, it appeared to be a one-man show. I don't want to use my blog to afflict individuals. As stated before, I want people to know that none of their data is secure, I want us developers to improve our data security skills, and I want companies to take more responsibility around data security and their customer data.

Conclusion 🔗

Maybe we as consumers should think twice when buying devices connected to the Internet. Think about what information you hand over to the vendor and what could be the worst case if everything's leaked. Would someone be able to live track you? Would someone be able to know when you're not at home? Would you be ok with anyone having the usage data for this system? Would you be fooled if anyone used this information in a clever way in a phising e-mail?

I wish that there was some sort of certification to know that an IoT vendor at least fulfils some minimum standards in regards of computer security and have regularly third party audits.