Years ago I purchased a TKSTAR vehicle tracker from Amazon, but I had so many security concerns, I returned it immediately. I found another vehicle tracker sold by ALDI, but after purchasing the device found that it used the same TKSTAR web services.
I notified TKSTAR, Amazon and ALDI at the time, but they didn’t seem to take much/any action. I also left product reviews. I am now publishing my findings here.
Known Security Issues
1. Use of Default Password (Insecure Authentication)
Providing a default password on purchased devices is a well-known poor security practice. In this case, the default password occurs almost every year in the list of most commonly leaked passwords.
Most companies switched away from this practice many years ago. They should instead use auto-generated passwords, or the user should be required to change the password when first using the device.
Since 29th April 2024, it is now illegal in the UK to sell smart devices with a default password which can be easily discovered online. The default password is on a cloud service rather than device which may mean that the law does not apply, but this is worse in my opinion. If left unchanged, the default password can be used to remotely access the device.
See the New Security Law for Smart Devices card from the National Cyber Security Center for more details about the law.
2. Auto-incrementing ID/Username (Enumeration Attack)
TKSTAR usually do not refer to it as the username and instead refer to it as an ID. It is functionally is more typical of what people would know as a username though. In this case it is just the device serial number. Since device serial numbers are usually incremental (and indeed are in this case), determining the ID/Username for another device is as simple as adding or subtracting 1 from a known serial number.
When combined with the default password, it is extremely easy to gain access to other accounts. Many users may not bother to change the default password since it is easy to remember. It is not possible to change the ID, which in addition to being a limitation preventing uses from making their accounts more secure, means that returned or refurbished devices which are resold cannot be given new credentials.
Other Concerns
Sensitive Information
The information being sent by these devices is sensitive. As a very basic example:
- If the tracker does not move and is in the same place across numerous days, it is likely at someone’s home address.
- If the tracker then moves from this location, it is likely they have gone out and the house may be empty.
- If the tracker regularly moves to the same location during the day, it is likely someone’s place of work.
I did not check, but I am unaware of anything within the web app to show where people logged in from. Users may be unaware if they are being monitored.
It would also not be difficult to write a program to attempt login using the default credentials, starting from a known serial number and working outwards. This could then build a database of vulnerable active trackers. There is a CAPTCHA on the page (I am unsure if this is a new addition) but it appears to be an older version which may be easily bypassed.
Lack of Multi-Factor Authentication (MFA)
Many sites now support MFA (sometimes referred to as two-factor authentication or 2FA). For a site holding near real-time location data, the user should ideally be prompted to enable it when first logging in. MFA helps protects against password re-use and can mitigate the risk of some data breaches. As noted in the previous section, the data is highly sensitive and this level of protection should be available.
Password Reset
The password reset procedure is not something I have investigated thoroughly, but I have concerns at the level of information required to have the password reset to the default.
From my email history, I believe I attempted to change the password on my device to something more secure. When I generate passwords, I will occasionally generate them too complex and the services will set the password to an unknown or invalid value. On this occasion, I had to email support to ask them to unlock my account. They seemed to do action this with only the device ID. It is possible they also checked my email address, but I am unsure if I had this stored on the account. The account was pre-registered by them, so I did not need to register using it.
Additionally, the forgot password dialog requires the device ID and a phone number. I suspect this is the phone number of the sim card in the tracker. This does mean that if these details are compromised, since the ID cannot be changed, it should at least be possible to change the phone number of the device. Based on other observations, I expect using this form will simply reset the password to the insecure default.
Lack of End-to-End Encryption
This is a prime use case for end-to-end encryption, and something which Google has implemented in their item trackers from the initial release. This would prevent even the manufacturer from seeing the location data that it is sending.
Responses
I did contact both TKSTAR and ALDI about these issues in Feb 2022. I have not published the findings before now because this is very easy to exploit, and I had hoped they would improve their security. They have not.
ALDI’s Response
We are sorry to learn that the product is not as it should be. I have logged your comments on our system to be reviewed by our Quality Assurance department.
Aldi provide a 60 day inspection period on all our products, customers are given the opportunity to exchange or refund an item under our no quibble guarantee.
The product remained on sale. As far as I know, no updates were provided to the product and no recall was issued.
TKSTAR’s Response
Regarding the default password and incrementing ID:
You can reset the password yourself after you get the device activated.
I pushed on the issue further highlighting that this requires customers to know they need to change the password to secure the devices. This resulted in the following response:
Thank you very much for your suggestion, I have contacted the technical staff, it will be improved later.
The login page may have been updated to include a basic CAPTCHA to prevent basic scripting attacks, but it appears to be an older CAPTCHA which likely can be easily bypassed.
Amazon
I am unsure the response I got from Amazon. I have email traces of the reason for the return, and the review I left on the product highlighting the issues.
Outcomes
Some of my reviews have been marked by other users as helpful. The CAPTCHA may be as a result of this but is insufficient to address the issues.
I am unsure if it is the device I bought from Amazon or ALDI, but I found the serial number in my email. It seems it has been sold on to someone else who has neglected to change the default password.
Conclusion
The lesson here is far greater than just for this tracker. I expect there are many aimed at the budget market which have similar or only slightly better security. Location information is highly sensitive, and we should be careful who we are trusting with that data.