Notified:  September 13, 2016 Updated: October 27, 2016

Status

Affected

Vendor Statement

We work in a fast-moving and exciting market, so we are constantly trying to improve our product and satisfy our customers. Like other IOT companies large and small, we also have to keep pace with the ever-evolving threats which are redefining IT security. So we want to thank the team at Rapid7 for helping us pinpoint our efforts in this area. Regarding the claim that retrieve TrackR doesn’t require authentication, we knew about this issue and fixed it several months ago. After that time, the deprecated call remained online, but was no longer in use by any apps. We are grateful that Rapid7 brought this possible point of confusion to our attention; as of yesterday, that call has been completely removed but no consumers have had access since we became aware of this issue in the spring. Regarding the claim that passwords are stored in plain text on iOS datastore, as soon as we became aware of this yesterday, we took action with an iOS update already submitted. Regarding the claim that sending TrackR data calls aren’t secure, as soon as we became aware of this yesterday, our engineering team designed a fix that will be applied by the end of next week (week of October 31st). Regarding the claim that TrackR broadcasts a unique identifier, this is by design. This enables the TrackR app to be more power efficient for conducting Crowd GPS updates. This is a function common in all tracking devices with Crowd GPS capabilities. There is no user data stored in the device and enabling connection only allows for nearby users to ring the device. When the device is nearby the user, the device doesn’t advertise.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.