Software Engineering Institute

The website for MobileTrack states:

"MobileTrack is a real-time mobile application platform that empowers organizations and individuals through Mobile Resource Management solutions. Customers can have visibility and control based on where a phone is located and how it is being used in real-time. With permission granted, a simple-to-install phone client is loaded directly onto a mobile smart phone and customers can quickly gain control of their mobile operations."

CVE-2012-2562: Lack of authentication for administrative SMS commands
It has been reported that the source of SMS commands are not verified (CWE-306). An unauthenticated remote attacker that knows the phone number of a device with MobileTrack installed can run commands over SMS as if they were the administrator. Some of the available commands that would be useful to an attacker are TERM and WIPE. TERM uninstalls the application and WIPE will wipe the entire phone.

CVE-2012-2567: Information exposure on insecure non-default FTP account
MobileTrack also contains an information exposure vulnerability for a non-default configuration that uses FTP instead of HTTPS. Although it is not the default, a MobileTrack system administrator may inadvertently create a situation where user data is stored on Xelex's FTP server using the same username and password for all MobileTrack users (CWE-200). The data on the FTP server is automatically removed from the directory after upload so the window of opportunity for an attacker to copy the data is small. Test credentials are hard coded (CWE-798) into the MobileTrack application and data is transferred unencrypted (CWE-311) over FTP if the default HTTPS option is not used. The vendor has stated the hard-coded test credentials are not actively used in the application.

Additional details may be found in Mobile Defense's security advisory.

The CVSS score below applies to CVE-2012-2562.

An unauthenticated remote attacker may be able to uninstall the application or wipe the device. If FTP is used, user data on Xelex's FTP server may be exposed.

Apply an Update
MobileTrack version 2.4.1 has been released to address these vulnerabilities. In version 2.4.1, the hard-coded test credentials, as well as, the FTP feature are removed and SMS commands are not accepted directly. A single SMS command will tell MobileTrack to check the server for the specific command that is to be executed. If the server does not contain a command to execute nothing will happen.