UPDATE: Tom's Guide received a statement from TrackR, which we have reproduced in part below:
"Regarding the claim that retrieve TrackR doesn’t require authentication, we knew about this issue and fixed it several months ago. After that time, the deprecated call remained online, but was no longer in use by any apps. We are grateful that Rapid7 brought this possible point of confusion to our attention; as of yesterday, that call has been completely removed but no consumers have had access since we became aware of this issue in the spring.
Regarding the claim that passwords are stored in plain text on iOS datastore, as soon as we became aware of this yesterday, we took action with an iOS update already submitted.
Regarding the claim that sending TrackR data calls aren’t secure, as soon as we became aware of this yesterday, our engineering team designed a fix that will be applied by the end of next week (week of October 31st).
Regarding the claim that TrackR broadcasts a unique identifier, this is by design. This enables the TrackR app to be more power efficient for conducting Crowd GPS updates. This is a function common in all tracking devices with Crowd GPS capabilities. There is no user data stored in the device and enabling connection only allows for nearby users to ring the device. When the device is nearby the user, the device doesn’t advertise.”
ORIGINAL: Bluetooth trackers are a boon for the perpetually forgetful, as they allow users to pinpoint keys, wallets, watches and any other small, easily lost object within close proximity. These innocuous gadgets may not seem like much of a threat, but the old refrain holds true: "If it has an operating system, it can be hacked." It turns out that three popular Bluetooth trackers may expose your password and location when paired with your phone, and there may not be any easy fix.
This information comes from Boston-based security firm Rapid7, which recently posted research about the trackers on its Community blog. Researchers Deral Heiland and Adam Compton put the TrackR Bravo, the iTrack Easy and the Zizai Tech Nut (yes, there's really a Bluetooth tracker called the "Nut"), and discovered fairly significant security vulnerabilities in each one.
The TrackR Bravo appeared to be the most compromised device of the three. While the device requires a password to function, it also displays that password in clear, unencrypted text in its cache. Since users often reuse passwords (especially on small devices that don't require frequent sign-ins), the risk is clear.
The TrackR Bravo also lets unauthorized users discover a tracking ID and MAC address with any nearby device and a Bluetooth-tracking application. Used in conjunction with two further vulnerabilities — unauthenticated access and pairing — a clever user with access to only a simple smartphone could track a user's GPS movements through his or her Bluetooth-tagged gadgets.
While the vulnerabilities in the iTrack Easy were not as severe, it might still not be a device you'd want to walk around with. Like the TrackR Bravo, it reveals its tracking ID and MAC address to any passing Bluetooth tracking app. Furthermore, it doesn't hide user GPS data, meaning that while it doesn't exactly broadcast where you're going, a smart cybercriminal could sniff it out pretty easily.
At least the iTrack Easy protects its password — sort of. Like the TrackR bravo, the cache displays the iTrack Easy's password, albeit in an encrypted manner. Unfortunately, the encryption is simple Base64 encoding, which is trivial to break.
The Zizai Tech Nut is arguably the worst of the three. Not only does it display a clear text password in the cache, like the TrackR Bravo, but it doesn't even use simple HTTPS encryption for its communication sessions. Instead, users can tap directly into an HTTP website, which contains reusable authentication information. Finally, the device is vulnerable to unauthorized pairing, meaning anyone in a crowded area could hijack it. Since the device has alarm functionality, picking out its owner on the street would be trivial.
Bluetooth trackers are small devices without an easy framework for firmware updates, so if you bought one, you may be stuck with its inherent vulnerabilities. On the other hand, the relative risk is low; each one of these vulnerabilities requires a somewhat sophisticated (or at least time-consuming) exploit from a knowledgeable security expert. Frankly, there are easier ways to steal a user's password, or lift their wallets.
On the other hand, there's some good news. Rapid7 also tested the popular Tile tracker, and found no vulnerabilities in it. There's at least one safe way to find your keys.