Tracki logo

Hacked GPS tracker reveals location data of customers

Stalkerware researcher maia arson crimew strikes again. Big time.

We know maia as a researcher that loves to go after stalkerware peddlers, which Malwarebytes—as one of the founding members of the Coalition Against Stalkerware—loves to see.

This time the target company, Tracki, is one selling GPS trackers and doesn’t hesitate to explicitly market itself as a device for spying on a spouse or other family member. Tracki devices are sold by some major telecommunication companies, sometimes under the Tracki brand or sometimes under their own label.

Tracki’s mother company Trackimo—hey we’re not the ones that made that name up—co-owns a subsidiary called watchinU that offers a Nickelodeon-branded smart watch for kids, the NickWatch, which is currently only available in the UK and Israel.

The investigation into Tracki, besides uncovering a tangled web of companies, dubious websites, and false identities, also led to a data breach that maia says could possibly affect almost 12 million users.

Researching the technology behind the tracker and the web portal for customers that want to see all their trackers on a map, maia found various hardcoded usernames and passwords used to load data from a number of administration and support tools.

One of the tools, the Trackimo Troubleshooter, was designed for remote debugging of all Tracki and Trackimo devices, by showing the technical support agents practically all the data from any given device by just entering a device identification number.

This “simple internal support tool” required no other authentication than logging in using a password that shared between Tracki and Trackimo employees. All you need to is a device id which follows a standardized format, so it looks like it’s possible with a bit of scripting to grab all the relevant data from each device.

Tracki support receives multiple subpoenas per week from local and federal law enforcement worldwide. Many are for stalking or harassment but also occasionally for other charges, including domestic violence, attempted murder, and murder. In all these cases, the victim was being tracked by using a Tracki device. maia says Trackimo is not only aware of these use cases, but actively assisted customers to set up nonconsensual tracking of individuals via its helpdesk.

Worryingly, agencies and military programs in the US and other governments around the world use Tracki devices, typically for asset, personnel, and vehicle tracking.

Our takeaway from this research is that by deciding to use stalkerware, of almost any kind, you are not the only one who might be able to follow the target. We have shown time and time again that these companies do not invest as much in keeping their records secure as you would expect or hope.

If you’re curious about the companies and people behind them, please read maia’s blog. It contains a lot of juicy details.

Check your digital footprint

Malwarebytes has a free tool for you to check how much of your personal data has been exposed online. Submit your email address (it’s best to give the one you most frequently use) to our free Digital Footprint scan and we’ll give you a report and recommendations.


We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.