Executive Summary

Title iTrack Easy contains multiple vulnerabilities
Name VU#974055 First vendor Publication 2016-10-25
Vendor VU-CERT Last vendor Modification 2016-10-25
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Cvss Base Score 5 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#974055

iTrack Easy contains multiple vulnerabilities

Original Release date: 25 Oct 2016 | Last revised: 25 Oct 2016


iTrack Easy contains multiple vulnerabilities including sensitive information exposure and missing authentication.


CWE-200: Information Exposure - CVE-2016-6542

The iTrack device tracking ID number is the device's BLE MAC address. It can be obtained by being in range of the device.

CWE-799: Improper Control of Interaction Frequency - CVE-2016-6543
A captured MAC/device ID can be registered under multiple user accounts allowing access to getgps GPS data, which can allow unauthenticated parties to track the device.

CWE-306: Missing Authentication for Critical Function - CVE-2016-6544
getgps data can be modified without authentication by setting the data using the parametercmd:setothergps. This vulnerability can be exploited to alter the GPS data of a lost device.

CWE-613: Insufficient Session Expiration - CVE-2016-6545
Session cookies are not used for maintaining valid sessions. The user's password is passed as a POST parameter over HTTPS using a base64 encoded passwd field on every request.

CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6546
The iTrack Easy mobile application stores the account password used to authenticate to the cloud API in base64-encoding in the cache.db file. The base64 encoding format is considered equivalent to cleartext.

The CVSS Score below represents CVE-2016-6544


These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.


The CERT/CC is currently unaware of a practical solution to this problem.

Use with caution

Until the vendor supplies a patch, the user should practice caution as to where these devices are used.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
iTrackAffected13 Sep 201625 Oct 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://www.ieasytec.com/
  • https://community.rapid7.com/community/infosec/blog/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities


Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.

This document was written by Trent Novelly.

Other Information

  • CVE IDs:CVE-2016-6542CVE-2016-6543CVE-2016-6544CVE-2016-6545CVE-2016-6546
  • Date Public:25 Oct 2016
  • Date First Published:25 Oct 2016
  • Date Last Updated:25 Oct 2016
  • Document Revision:21


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/974055

CWE : Common Weakness Enumeration

% Id Name
17 % CWE-384 Session Fixation
17 % CWE-287 Improper Authentication
17 % CWE-284 Access Control (Authorization) Issues
17 % CWE-255 Credentials Management
17 % CWE-200 Information Exposure
17 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

Application 1
Application 1
Application 1

Alert History

If you want to see full details history, please login or register.
Date Informations
2018-09-12 00:21:40
  • Multiple Updates
2018-09-07 21:21:03
  • Multiple Updates
2018-07-14 00:21:04
  • Multiple Updates
2016-10-25 21:19:58
  • Multiple Updates
2016-10-25 17:22:56
  • First insertion