GPS Lookup Tool, Hacked

Hey there, Joseph here with something that is (weirdly) close to becoming a trend? A hacker got access to an internal tool at a GPS tracking company and could look up users' locations. No, no, not the Tile breach we reported on before. Another one. When there is a third one then we can call it a thing.

A hacker gained access to an internal troubleshooting tool used by GPS tracking company Trackimo that allowed them to lookup the location history of other peoples’ devices, according to the hacker and screenshots of the tool shared with 404 Media.

Trackimo sells a GPS tracker that it says can be used for keeping tabs on family members, pets, vehicles, or expensive equipment. The hacker said they gained access to Trackimo’s internal support system, found an email that included the password for the troubleshooting tool, and then used that to search for their own device and others.

“I think the way the tool is implemented is a bit shoddy,” the hacker, who uses the handle maia arson crimew, told 404 Media in an online chat. “Given it has just one easily guessable password, it’s pretty bad,” maia added.

The news highlights how tools that are designed for internal use by company employees can be leveraged by outside hackers or third parties for their own gain if not properly secured.

The tool is called Trackimo Troubleshooter. The screenshots maia shared with 404 Media show a device’s “recent locations” displayed on a Google Maps-style interface. These appear to be based on GSM, WiFi, and GPS signals from the device. The panel also has fields for the user’s associated email address, name, and phone number. The screenshots also include diagnostic information about the device, such as how many times the device has rebooted unintentionally or whether it has run on low battery.

Image: maia arson crimew.

On Thursday, maia published a write-up of the hack and other related findings. maia said she worked with collaborator Ryan Fae, but said that Fae did not touch any of Trackimo’s infrastructure. maia shared a copy of the write-up with 404 Media before publication.

In that write-up, maia said she bought a Trackimo device for around $10. Trackimo requires users to also pay for a monthly subscription to use the product. She then probed Trackimo’s web interface and went through a list of Trackimo subdomains, maia writes. She then found various hardcoded usernames and passwords to Trackimo systems, including some baked into the company’s mobile app. Cybersecurity company Tenable found a similar issue with Trackimo systems in 2021.

maia says she looked through the company’s helpdesk emails which included another password, and then used that to log into the Trackimo Troubleshooter tool. maia writes the tool shows “technical support agents practically all the data from any given device by just entering a device id.”

Trackimo told 404 Media in an email that the hacker is no longer in the company's systems, that Trackimo has changed the password to the tool, and that the tool has now been disabled. When asked if the hacker could have looked up the location of any devices beyond her own, Trackimo said “to the best of our knowledge, no.” This is contrary to what maia showed 404 Media. maia shared screenshots of search results related to multiple other devices beyond the one she purchased too. These were devices that were potentially linked to law enforcement investigations in which Trackimo devices or data played a part, according to other documents that maia obtained and shared.

In the write-up, maia and Fae say that all vulnerabilities were reported to the company, and that Trackimo fixed them.

In a separate incident, a hacker recently targeted location data giant Tile and gained access to that company’s internal system for making data requests on behalf of law enforcement.