Over half a million active GPS trackers have ‘123456’ as default password


Researchers have found serious security vulnerabilities in over 600,000 GPS trackers available for sale on Amazon and other online retail merchants that may have exposed user data, including the exact real-time GPS coordinates.

Czech cybersecurity firm Avast, which disclosed the vulnerabilities, said it informed the manufacturer about the flaws on June 24, 2019, but added they never got a response to their repeated messages.

The trackers — 31 models in all that are made by Chinese IoT manufacturer Shenzhen i365 Tech — allowed users to keep tabs on their childrens’ whereabouts through a companion app and a web portal, while the trackers uploaded the location information to a cloud server that communicated with the apps.

But researchers noted this setup was replete with flaws. Not only was the information on the web portal and the Android app sent to the server unencrypted (i.e. HTTP as opposed to HTTPS), the usernames were based on the trackers’ IMEI (International Mobile Equipment Identity) number, with the default password being “123456.”

Avast warned that hackers can use this information to intercept data and issue unauthorized commands, using the tracker to call and message arbitrary phone numbers, thereby letting them spy on conversations around the tracker without the user’s knowledge.

In addition, this can also allow a malicious user to take over victims’ accounts by going through the trackers’ IMEI codes in sequence and the same password “123456,” effectively locking them out. The attacker can even get the real-time GPS coordinates by just sending an SMS to the phone number associated with the SIM card that’s inserted into the tracker.

READ ALSO  Dyson's hover-hoover is stuck on the grid and out of road
Credit: Avast

?
WP Twitter Auto Publish Powered By : XYZScripts.com