{"vuid":"VU#617567","idnumber":"617567","name":"TrackR Bravo contains multiple vulnerabilities","keywords":["CWE-313","CWE-200","CWE-306","cleartext","password","information exposure","missing authentication","IoT"],"overview":"TrackR Bravo contains multiple vulnerabilities including sensitive information exposure and missing authentication.","clean_desc":"CWE-313: Cleartext Storage in a File or on Disk - CVE-2016-6538\nThe TrackR Bravo mobile app stores the account password used to authenticate to the cloud API in cleartext in the cache.db file. CWE-200: Information Exposure - CVE-2016-6539\nThe Trackr device ID is constructed of a manufacturer identifier of four zeroes followed by the BLE MAC address in reverse. The MAC address can be obtained by being in close proximity to the Bluetooth device, effectively exposing the device ID. The ID can be used to track devices. CWE-306: Missing Authentication for Critical Function - CVE-2016-6540\nUnauthenticated access to the cloud-based service maintained by the vendor is allowed for querying or sending GPS data for any Trackr device by using the tracker ID number which can be discovered as described in CVE-2016-6539. CWE-306: Missing Authentication for Critical Function - CVE-2016-6541\nTrackR Bravo device allows unauthenticated pairing, which enables unauthenticated connected applications to write to various device attributes. The CVSS Score below represents CVE-2016-6540","impact":"These vulnerabilities may allow an unauthenticated, remote attacker to track a user's location without their consent.","resolution":"Apply an update Updated apps, version 5.1.6 for iOS and 2.2.5 for Android, have been released by the vendor to address these vulnerabilities. See the vendor statement for more details.","workarounds":"Use with caution If a user is unable to apply an update, they should practice caution as to where these devices are used.","sysaffected":"","thanks":"Thanks to Deral Heiland and Adam Compton of Rapid7, Inc. for reporting this vulnerability.","author":"This document was written by Trent Novelly.","public":["https://www.thetrackr.com/bravo","https://community.rapid7.com/community/infosec/blog/2016/10/25/multiple-bluetooth-low-energy-ble-tracker-vulnerabilities"],"cveids":["CVE-2016-6538","CVE-2016-6539","CVE-2016-6540","CVE-2016-6541"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2016-09-09T19:46:44Z","publicdate":"2016-10-25T00:00:00Z","datefirstpublished":"2016-10-25T14:58:04Z","dateupdated":"2016-10-27T17:58:35Z","revision":36,"vrda_d1_directreport":"1","vrda_d1_population":"2","vrda_d1_impact":"2","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"","cvss_accessvector":"N","cvss_accesscomplexity":"M","cvss_authentication":null,"cvss_confidentialityimpact":"P","cvss_integrityimpact":"P","cvss_availabilityimpact":"N","cvss_exploitablity":null,"cvss_remediationlevel":"ND","cvss_reportconfidence":"ND","cvss_collateraldamagepotential":"N","cvss_targetdistribution":"L","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"5.8","cvss_basevector":"AV:N/AC:M/Au:N/C:P/I:P/A:N","cvss_temporalscore":"5.8","cvss_environmentalscore":"1.4401490775","cvss_environmentalvector":"CDP:N/TD:L/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}