TrackR Information for VU#617567

TrackR Bravo contains multiple vulnerabilities



Vendor Statement

We work in a fast-moving and exciting market, so we are constantly trying to
improve our product and satisfy our customers.

Like other IOT companies large and small, we also have to keep pace with the
ever-evolving threats which are redefining IT security. So we want to thank the
team at Rapid7 for helping us pinpoint our efforts in this area.

Regarding the claim that retrieve TrackR doesn’t require authentication, we
knew about this issue and fixed it several months ago. After that time, the
deprecated call remained online, but was no longer in use by any apps. We are
grateful that Rapid7 brought this possible point of confusion to our attention;
as of yesterday, that call has been completely removed but no consumers have
had access since we became aware of this issue in the spring.

Regarding the claim that passwords are stored in plain text on iOS datastore,
as soon as we became aware of this yesterday, we took action with an iOS update
already submitted.

Regarding the claim that sending TrackR data calls aren’t secure, as soon as we
became aware of this yesterday, our engineering team designed a fix that will
be applied by the end of next week (week of October 31st).

Regarding the claim that TrackR broadcasts a unique identifier, this is by
design. This enables the TrackR app to be more power efficient for conducting
Crowd GPS updates. This is a function common in all tracking devices with Crowd
GPS capabilities. There is no user data stored in the device and enabling
connection only allows for nearby users to ring the device. When the device is
nearby the user, the device doesn’t advertise.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References



There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.