These Chinese GPS trackers can track you anywhere you go and are marketed to keep children and senior citizens safe — but security researchers found that the devices, which are being used in the US, Europe and other regions, have a handful of dangerous vulnerabilities.
For starters, the T8 Mini GPS trackers from Shenzhen i365 Tech have “123456” as their default password. They all shipped with the same password, and that password also extends to nearly 30 other models in the company’s lineup, Martin Hron, senior researcher with cybersecurity company Avast, said Thursday.
“The default password 123456 can easily be changed by the user at the first time they do unboxing,” Allenli Kyao, Shenzhen i365’s director of international sales, said in an email on Friday.
Internet of things devices are often criticized for their weak security standards, with lawmakers worrying passed a law prohibiting IoT devices from having default passwords.. Default passwords are a common flaw for connected gadgets. There’s even a website that displays footage from home by the people who bought the products. The problem’s so bad that California
Avast estimated that more than 600,000 GPS trackers from Shenzhen i365 Tech were being used with this major security flaw. Once hackers figured out the password, they’d have complete access to people’s real-time location data.
“When I first saw it, I thought to myself: ‘Oh, not again,”http://www.cnet.com/” Hron said in a statement. “So I wasn’t surprised, considering the fact that default password is the No. 1 vulnerability of IoT devices. What is different in this case is the scale — the fact that even the username is quite predictable and also the very personal nature of data being exposed.”
Though the manufacturer is based in China, Avast’s analysis found that these GPS trackers are being used in the US, across Europe, Australia, South America and Africa.
On the product’s website, the GPS tracker is advertised for children, the elderly, pets and luggage, and is touted as being able to track people throughout a global network. The default password is also posted in the advertisement.
Even if people did change their passwords after buying the devices, other vulnerabilities exist, Avast said.
All the requests from the GPS tracker’s apps are unencrypted, which means anyone on the same Wi-Fi network can take control of the device. This could, for instance, let potential hackers hijack the tracker’s microphone and eavesdrop on conversations. Sensitive data from the device, including location coordinates, is unencrypted as well, when it’s sent to online servers, Avast said.
The company said it reached out multiple times to Shenzhen i365 Tech in June to warn them about the critical security issues but never heard back.
“We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices,” Hron said.
Originally published on Sept. 5 at 6 a.m. PT.
Updated on Sept. 6 at 7:20 a.m. PT: To add a response from Shenzhen i365.