search menu icon-carat-right cmu-wordmark

CERT Coordination Center

iTrack Easy contains multiple vulnerabilities

Vulnerability Note VU#974055

Original Release Date: 2016-10-25 | Last Revised: 2016-10-25


iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication.


CWE-200: Information Exposure - CVE-2016-6542

The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the device.

CWE-799: Improper Control of Interaction Frequency - CVE-2016-6543
A captured MAC/device ID can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.

CWE-306: Missing Authentication for Critical Function - CVE-2016-6544
getgps data can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.

CWE-613: Insufficient Session Expiration - CVE-2016-6545
Session cookies are not used for maintaining valid sessions. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request.

CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

The CVSS Score below represents CVE-2016-6544


These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.


The CERT/CC is currently unaware of a practical solution to this problem.

Use with caution

Until the vendor supplies a patch, the user should practice caution as to where these devices are used.

Vendor Information


iTrack Affected

Notified:  September 13, 2016 Updated: October 25, 2016



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:--
Temporal 5.8 E:ND/RL:ND/RC:ND
Environmental 1.4 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

CVE IDs: CVE-2016-6542, CVE-2016-6543, CVE-2016-6544, CVE-2016-6545, CVE-2016-6546
Date Public: 2016-10-25
Date First Published: 2016-10-25
Date Last Updated: 2016-10-25 15:13 UTC
Document Revision: 22

Sponsored by CISA.