search menu icon-carat-right cmu-wordmark

CERT Coordination Center

TrackR Bravo contains multiple vulnerabilities

Vulnerability Note VU#617567

Original Release Date: 2016-10-25 | Last Revised: 2016-10-27


TrackR Bravo contains multiple vulnerabilities including sensitive information exposure and missing authentication.


CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6538

The TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file.

CWE-200: Information Exposure - CVE-2016-6539
The Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the device ID. The ID can be used to track devices.

CWE-306: Missing Authentication for Critical Function - CVE-2016-6540
Unauthenticated access to the cloud-based service maintained by the vendor is allowed for querying or sending GPS data for any Trackr device by using the tracker ID number which can be discovered as described in CVE-2016-6539.

CWE-306: Missing Authentication for Critical Function - CVE-2016-6541
TrackR Bravo device allows unauthenticated pairing, which enables unauthenticated connected applications to write to various device attributes.

The CVSS Score below represents CVE-2016-6540


These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.


Apply an update

Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address these vulnerabilities. See the vendor statement for more details.

Use with caution

If a user is unable to apply an update, they should practice caution as to where these devices are used.

Vendor Information


TrackR Affected

Notified:  September 13, 2016 Updated: October 27, 2016



Vendor Statement

We work in a fast-moving and exciting market, so we are constantly trying to
improve our product and satisfy our customers.

Like other IOT companies large and small, we also have to keep pace with the
ever-evolving threats which are redefining IT security. So we want to thank the
team at Rapid7 for helping us pinpoint our efforts in this area.

Regarding the claim that retrieve TrackR doesn’t require authentication, we
knew about this issue and fixed it several months ago. After that time, the
deprecated call remained online, but was no longer in use by any apps. We are
grateful that Rapid7 brought this possible point of confusion to our attention;
as of yesterday, that call has been completely removed but no consumers have
had access since we became aware of this issue in the spring.

Regarding the claim that passwords are stored in plain text on iOS datastore,
as soon as we became aware of this yesterday, we took action with an iOS update
already submitted.

Regarding the claim that sending TrackR data calls aren’t secure, as soon as we
became aware of this yesterday, our engineering team designed a fix that will
be applied by the end of next week (week of October 31st).

Regarding the claim that TrackR broadcasts a unique identifier, this is by
design. This enables the TrackR app to be more power efficient for conducting
Crowd GPS updates. This is a function common in all tracking devices with Crowd
GPS capabilities. There is no user data stored in the device and enabling
connection only allows for nearby users to ring the device. When the device is
nearby the user, the device doesn’t advertise.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N
Temporal 5.8 E:ND/RL:ND/RC:ND
Environmental 1.4 CDP:N/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2016-6538, CVE-2016-6539, CVE-2016-6540, CVE-2016-6541
Date Public: 2016-10-25
Date First Published: 2016-10-25
Date Last Updated: 2016-10-27 17:58 UTC
Document Revision: 36

Sponsored by CISA.