Disability monitoring tool leaked personal information online

A graphic showing fleet tracking locations over a city.
(Image credit: Shutterstock / Ekaphon maneechot)

  • Security researchers find unprotected database belonging to AngelSense
  • Company builds GPS tracking devices for persons with disabilities
  • The database contained names, GPS data, and more

A GPS tracking gear manufacturer was reportedly at risk of leaking sensitive data on the internet, experts have warned.

Cybersecurity researchers UpGuard discovered a non-password-protected database belonging to AngelSense online, keeping it active for at least a few weeks, filling it up with information generated by its equipment.

AngelSense is a GPS tracking and safety device designed for individuals with special needs, such as children with autism or elderly individuals with dementia. It provides real-time location tracking, two-way voice communication, and alerts to caregivers to ensure their loved ones' safety and well-being.

Shutting down access

TechCrunch says the company is “touted by law enforcement and police departments across the US”.

Unprotected databases are, unfortunately, a common occurrence and one of the key causes of data leaks. In this incident, the company was storing real-time updating logs from an AngelSense system, including personal information of AngelSense customers. Names, postal addresses, phone numbers, GPS coordinates, health information, and more, were being exposed. Furthermore, the database kept technical logs about the company’s systems, as well.

Email addresses, passwords, authentication tokens for accessing customer accounts, and partial credit card information were all being stored in plaintext.

The archive has since been closed down, however the researchers couldn’t establish exactly for how long the database was exposed, although the database’s listing on Shodan shows it was first spotted on January 14, although it could have been available for longer.

It is also unknown if anyone found it before UpGuard. All a person would need is knowledge of the IP address and a browser.

“It was only when UpGuard phoned us that the issue was raised to our attention,” AngelSence CEO, Doron Somer, admitted. “Upon its discovery, we acted promptly to validate the information provided to us and to remedy the vulnerability.”

“We note that other than UpGuard, we have no information suggesting that any data on the logging system potentially was accessed. Nor do we have any evidence or indication that the data has been misused or is under threat of misuse.”

Via TechCrunch

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.