Security Flaw: over 600,000 kid-friendly GPS trackers use 123456 as default password, posing security threat

725

GPS trackers are helpful tools for families, whether they’re used for children, the elderly, or with pets. However, a security firm discovered that the devices may not be as secure and safe as users may think.

People often use small GPS trackers to help them locate children, elderly family members, or even pets. These devices are easy to carry because of the small size, with some even having microphones or cameras, and they are easy to find on sites such as Amazon and eBay for decent prices that range between $25 and $50.

However, a recent discovery by security firm Avast reveals that hundreds of thousands of such GPS trackers may not be secure. Upon testing the T8 Mini GPS Tracker from manufacturer Shenzen i365 Tech as well as 29 similar GPS trackers mostly from the same company, researchers from Avast Threat Labs found that the International Mobile Equipment Identity (IMEI) of the units only have 11 digits when the international standard says it should have 15. What’s more, they also found that these devices all have the same default password: 123456.

Because of this, the researchers easily found over 600,000 devices being used with the same password, all transmitting data in plaintext using commands that are easily reverse engineered.

This means that the potential attackers can have access to the data, and can even modify it to report different coordinates than the ones reported by the tracker. They can also send a text message to the phone attached to the account, thereby obtaining the said phone number, and also restore the devices to factory settings among other privacy and security issues such as access to the microphone.

“As you can see there are strong indicators that this issue goes far beyond the scope of one vendor. We found similar APIs being used by different applications also found models that are not being made by this particular vendor that is linked to this cloud infrastructurem” researchers wrote.

The GPS trackers as well as the 50 affected apps can be found in the Avast report. Researchers reached out to the vendor of the GPS trackers last June 24 but did not get a response.

SHARE