Rapid7 Finds Security Flaws in Personal Tracking Devices | eWeek

Personal Tracking Devices Expose Public Privacy Risk

Personal Tracking Devices Expose Public Privacy Risk
Oct 26, 2016
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Small tags embedded with Bluetooth Low Energy have become increasingly popular in recent years as a way for consumers to track things such as car keys or other small items. There is only one small problem: They’re also potentially a larger public privacy risk, according to new research released Oct. 25 by security firm Rapid7.

Among the trackers Rapid7 looked at is the TrackR Bravo device, which was found to have four unique vulnerabilities, including cleartext password storage (CVE-2016-6538), Tracking ID exposure (CVE-2016-6539), unauthenticated access (CVE-2016-6540) and unauthentic pairing (CVE-2016-6541) vulnerabilities.

“Originally, I became interested in conducting this research because I continually saw these devices attached to people’s key chains,” Deral Heiland, research lead at Rapid7, told eWEEK. “I did not have a specific result in mind when I set out to do this research; however, given the state of IoT [internet of things] security, I was curious about the extent of personal information that was being exposed, and what security implications were being created due to that exposure.”

Rapid7 conducted its operational analysis of the Bluetooth tracking products by using multiple tools including Burpsuite to intercept communication between the cloud and mobile applications, Heiland said. Additionally, the Rapid7 researchers used Nordic Bluetooth Low Energy (BLE) tools on Mac and smartphones combined with the Bluefruit LE sniffer to analyze the BLE communication and pairing process and identify attributes used during operations.

A core area of weakness overall in Bluetooth is the fact that it is not encrypted, and, as such, communications potentially can be intercepted and read.

“When the devices are initially paired, they derive a long-term key using a key-exchange protocol,” Heiland explained. “If you eavesdrop during this exchange, you can get in between the pairing process and can decode the communication.”

Heiland added that the Bluefruit LE sniffer tools make this simple when analyzing two devices and their communication.

While Rapid7 has found issues with Bluetooth trackers, Heiland noted that the average person may not encounter abuse of these devices related to their privacy. That said, he noted someone with a higher profile—such as someone in the government, business or entertainment sector—or someone currently having issues such as harassment or stalkers may want to avoid the use of these devices because of the elevated risk of abuse.

TrackR said no user data has been compromised, as far as the company is aware.

“As we work in a fast-moving and exciting market, we try to constantly improve our product and satisfy our customers,” Chris Herbert, CEO of TrackR, wrote in an email to eWEEK. “Like other IoT companies large and small, we also have to keep pace with the ever-evolving threats which are redefining IT security.

“We were aware of all but one of these issues and have resolutions in place for all the issues identified,” Herbert added.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.