Meitrack T366G-L GPS Tracker Unauthenticated SPI Flash Access Vulnerability

A vulnerability exists in Meitrack T366G-L GPS Tracker devices due to the SPI flash chip (Winbond 25Q64JVSIQ) being accessible without authentication or tamper protection. This flaw allows an attacker with physical access to the device to use a standard SPI programmer to extract the firmware with flashrom. The extracted firmware may contain sensitive configuration data, including APN credentials, backend server information, and network parameters, all stored in plaintext. Additionally, this access could be used to modify the firmware and re-flash the device.

Impact

Exploitation of this vulnerability leads to unauthorized access to the device's firmware and plaintext configuration data, such as APN credentials. There is also potential for integrity issues, as the extracted firmware could be modified and re-flashed onto the device.

Reproduction

To reproduce this vulnerability, disassemble the T366G-L GPS tracker to access the printed circuit board (PCB). Locate the SPI flash chip, Winbond 25Q64JVSIQ, along with the test pads or debug header. Connect a standard SPI programmer, like the CH341A, to the appropriate pins on the chip. Once connected, use flashrom to dump the firmware, which will include sensitive configuration data in plaintext.

Remediation

Meitrack should implement physical protections, such as epoxy or potting, and remove debug pads from production units. Enforcing secure boot with signed firmware, encrypting sensitive data at rest, and providing a provisioning flow that rotates secrets on first boot are also recommended. For operators, it's advised to treat physical access as compromised, restrict device access, rotate backend credentials if integrity is suspected, and network-segment tracker infrastructure.