Navigation Apps May Be Following You

'Tis the season to be ... traveling. AAA estimated that this past Thanksgiving holiday would be the biggest on the country’s highways and byways since 2005. With the winter holidays in full swing, those highways and byways won't see much rest, and many of the people traveling them will be using navigation software of some sort--whether it’s built into the car, comes in a device or is downloaded via an app onto a smartphone. According to a Gallup Poll earlier this year, 84 percent of people in the United States use navigation apps. Turns out, they may be putting themselves at risk by doing so.

In fact, as people hit the road in the coming weeks, they’ll want to be mindful of the software that drives these navigation devices, according to a report from cybersecurity vendor Checkmarx. Researchers from the company evaluated navigation software from well-known GPS makers Garmin and TomTom and found several vulnerabilities on each that could enable attackers to steal sensitive data, lock customers out of their accounts or download malware.

In a blog post, the researchers wrote that “as the industry has moved from dedicated GPS navigation devices into smartphone apps for iOS and Android, so have Garmin and TomTom, reaching into our phones, cars and all the way into watches and other wearables. It’s incredibly useful, but how successful have these companies been at developing security into their apps?”

The vulnerabilities were found not only on the Android apps available via the Google Play store, but also on software that was downloadable from the Garmin and TomTom websites. The analysts also evaluated the software on the TomTom Go 520 GPS device.

“The vulnerabilities we found could have mainly put users under the risk of private information disclosure,” Erez Yalon, Checkmarx’s head of security research, told ITPro Today in an email. “The leakage of such private information without the control or knowledge of the user is terrible on its own, but when leveraged to being used against the user--like, for example, finding their favorite locations or learning when they’re expected to be away from home for a long period of time--it worsens the threat. Other vulnerabilities could have allowed an attacker to install malware on unsuspecting users’ systems. While this kind of attack is less likely, the severity of such a threat is so high that it cannot be ignored.”

Regarding Garmin, Checkmarx researchers found several vulnerabilities on the Android app and even more on the web apps on the Garmin website. On the Android app, attackers can exploit the vulnerabilities to take over a customer’s account, giving them access to all the data stored in the account, such as personal and location information. Other issues open up the user to a denial-of-service (DoS) attack by crashing the Garmin Connect app, locking the user out of the account.

Regarding Garmin’s web apps, the vulnerabilities “indicate that they lack insight into some aspects of application security when developing the apps. Some of the vulnerabilities may allow hackers to get the names of users from the website, which is very helpful for crafting successful phishing attacks. Others may leak sensitive information, including their names and locations, while others may even allow an attacker to cause a user to download malware.”

Checkmarx’s Security Research Team contacted Garmin with its findings and worked with the navigation company to fix the issues, according to the researchers.

Checkmarx’s evaluation of the TomTom Android apps--TomTom MyDrive and GPS Traffic--and web apps, as well as the Go 520 device, found a number of vulnerabilities, including an exposed database that holds sensitive information and serves download links to users. The database could be changed by threat actors to point users to malware. In addition, the Go 520 gets updates using unencrypted HTTP, which could make customers vulnerable to man-in-the-middle attacks. Researchers also found that accounts can be hijacked using a combination of Stored XSS and CSRF (Cross-Site Request Forgery).

“A victim that will visit a specially crafted page that automatically changes the billing information of the user,” the Checkmarx analysts wrote in the blog. “A Stored XSS payload is located in the shipping street field, which sends cookie details to a remote web server. That way, attackers could steal users’ accounts; trigger a malware download; change users’ information and more.”

Once that happens, attackers have access to data that’s input into the device, such as places users typically go, road trips they take and places of interest, they said.

The researchers said they alerted TomTom to the vulnerabilities and that the company fixed some of them, including removing the vulnerable database.

Checkmarx’s Yalon said the company doesn’t have enough information to determine trends of the specific threats found, “but, as a rule-of-thumb, attackers will prefer to target ‘quality assets.’ Our increasing dependency on navigation devices and applications, and the huge amounts of private data we share [both knowingly and unknowing] with these devices and applications as part of our moving to a more digitized life, definitely makes them valued targets for bad actors.”

He also noted that users often are not aware they are under attack and continue to use devices and apps as they should, trusting that the vendors are protecting their private data.

“Users need to be informed, understand the risks and try to choose products from vendors that have proper security processes and a good track record of fixing found vulnerabilities,” Yalon said. “This information is not always available to the users, so the responsibility needs to be on the vendors themselves.”