Xelex Technologies' MobileTrack application has been reported to not verify the source of administrative SMS commands. An unauthenticated remote attacker can send commands over SMS to MobileTrack. User data is also exposed on an insecure FTP server account.
The website for MobileTrack states:
"MobileTrack is a real-time mobile application platform that empowers organizations and individuals through Mobile Resource Management solutions. Customers can have visibility and control based on where a phone is located and how it is being used in real-time. With permission granted, a simple-to-install phone client is loaded directly onto a mobile smart phone and customers can quickly gain control of their mobile operations."
An unauthenticated remote attacker may be able to uninstall the application or wipe the device. If FTP is used, user data on Xelex's FTP server may be exposed.
Apply an Update
Thanks to the Mobile Defense Threat Research Team for reporting this vulnerability.
This document was written by Jared Allar.