iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication.
CWE-200: Information Exposure - CVE-2016-6542
The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the device.
These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.
The CERT/CC is currently unaware of a practical solution to this problem.
Use with caution
Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.
This document was written by Trent Novelly.