In the United States alone, 84% of adults are using navigation applications, according to a recent Gallup poll. Whether they’re downloading it in an app store or the navigation capability is already built into the car, these navigation tools are taking us to the grocery store, to our grandparents’ house, to job interviews, and everywhere in between and beyond. People around the world pull out devices and launch the navigation apps that lead millions to their destinations every day.
(In)Security in Navigation Apps
The Checkmarx Security Research Team decided to take a look into the navigation apps from two well-known GPS navigation makers: Garmin and TomTom. As the industry has moved from dedicated GPS navigation devices into smart phone apps for iOS and Android, so have Garmin and TomTom, reaching into our phones, cars and all the way into watches and other wearables. It’s incredibly useful, but how successful have these companies been at developing security into their apps?
Garmin: Vulnerabilities and Remediation
On the Garmin Android app, our team found several vulnerabilities. These vulnerabilities can result in a Garmin account takeover, which means that a hacker may have access to all of the user’s data stored in the Garmin account. This data may include private, personal information and location. Other vulnerabilities we discovered enable an attacker to lock users out of their account. That’s considered a Denial of Service attack, or DoS.
On Garmin’s web apps (their websites) we found many more vulnerabilities. These vulnerabilities indicate that they lack insight into some aspects of application security when developing the apps. Some of the vulnerabilities may allow hackers to get the names of users from the website, which is very helpful for crafting successful phishing attacks. Others may leak sensitive information, including their names and locations, while others may even allow an attacker to cause a user to download malware.
We contacted Garmin with a detailed report, showing where we found issues in their web applications and Android apps. In our research, we ordered the list based on the CVSS 3 score calculator and provided possible attack scenarios for several security issues. Here are a few of the vulnerabilities we discovered:
- CSRF – Account takeover on SSO endpoint.
Attack vector: When a user resets their password, a temporary password is sent via email. When the user tries to login with this temporary password, a new password can be set. However, the endpoint does not check the referrer and there is no CSRF token to avoid the possibility of an external request.
- Username and group enumeration on Garmin Connect.
Attack vector: It’s possible for a malicious user to get all the users and groups, bypassing the pagination and characters limitations on the Garmin Connect system. There’s also the danger of information denial of service due to large quantities of data requested.
- App Crash and Denial of Service.
Attack vector: In certain scenarios it’s possible to crash the Garmin Connect app of the victim, creating a denial of service attack.
Just listing the vulnerabilities isn’t enough, of course. We also described each one and created proofs of concept for each, testing in our own accounts and taking measures to not abuse the number of requests made. We also shared how the Garmin team could solve the problems and prevent each type of attack from happening. We worked closely with their team, and Garmin was responsive and fixed every issue that we disclosed. We’re happy that the Checkmarx Security Research Team was able to help Garmin improve their own security and that of their clients.
TomTom: Vulnerabilities and Remediation
Our research scope included TomTom web applications, Android applications (TomTom MyDrive and TomTom GPS Traffic) and the Go 520 GPS device. We were sorry to find a plethora of vulnerabilities in all of them. A few of the security issues we found included:
- An exposed database.
Attack vector: This database carries a lot of sensitive information and serves download links to users, which means it could be abused by an attacker to change the links to point towards malware.
- A GO 520 GPS device that gets updates using unencrypted HTTP.
Attack vector: Could allow Man-in-the-Middle attacks to change the update URL to rogue malware that can damage, backdoor, or even be used to track unsuspecting users.
- Stored XSS and CSRF.
Attack vector: Accounts can be hijacked using a combination of Stored XSS and CSRF. A victim that will visit a specially crafted page that automatically changes the billing information of the user. A Stored XSS payload is located in the shipping street field, which sends cookie details to a remote webserver. That way, attackers could steal users’ accounts; trigger a malware download; change users’ information, and more. After the attacker hijacks the user account they have access to data that’s input into the device – including the places you typically go, road trips you take, places of interest. This data could be exploited or used by anyone.
- Subdomain takeover.
Attack vector: It’s possible to register an Amazon AWS bucket that is pointing to christmas.tomtom.com and get that domain to trick victims. Having CNAME records unused is a good weapon for malicious users.
There are many other small, not very dramatic vulnerabilities we sent TomTom in our report, but the general picture our research gives is of exposed software due to low-security standards.
We took the same approach with our TomTom research as we did with Garmin, providing a list of the security issues, including the CVSS score based on the CVSS 3 calculator. We shared possible attack scenarios, proofs of concept and provided solutions that would help their team remediate the issues.
Our experience with TomTom was quite different from our experience with the Garmin security and development teams, however. Although TomTom actually sent our research team sport watches to thank us for the security research and insight provided, TomTom fixed only a few of the vulnerabilities we found. For example, the vulnerable database was removed, but the Go 520 GPS vulnerability is still there, as are many others. We’ve provided time and advice for resolving these issues, though some of the issues remain unresolved.
Security Is Essential When Software Runs Everything
As a society, we’re increasingly reliant on our web apps and smartphone apps to help us get things done–whether that’s traveling safely every day, to work or school, or to see family and friends during holidays, banking online or in a dedicated app, meeting someone special on a dating app or website, or even using smart devices in our homes. Every organization is delivering software to market faster, and software is powering the tools we use in our lives every day. I’m glad our security research team can help organizations remediate issues when we find them, but we’re also hoping that bringing these issue to light will continue to place an emphasis on the importance of software security throughout the development lifecycle to manage software exposure.