An estimated 600,000 GPS trackers for location monitoring of children, adults, and pets have vulnerabilities that open users up to a host of creepy attacks, researchers from security firm Avast have found.
The $25 to $50 devices are small enough to wear on a bracelet or stash in a pocket or car dash compartment. Many also include cameras and microphones. They are sold on Amazon and other online stores as inexpensive ways to help keep children, seniors, and pets safe. Facing the ethics of attaching a spying device to the people we love, there is another reason for skepticism. Vulnerabilities in the T8 Mini GPS Tracker Locator and nearly 30 similar model brands from the same manufacturer, Shenzhen i365 Tech, make users vulnerable to eavesdropping, spying, and location-spoofing attacks. users are.
Researchers at Avast Threat Labs found that the ID numbers assigned to each device depend on it International Mobile Equipment Identity, or IMEI. Even worse, during production, devices are assigned exactly the same default password of 123456. The design allows researchers to find more than 600,000 devices in use in the wild with that password. As if that wasn’t bad enough, the machines transmit all the data in plain text using simple commands to change the machine.
The result: people on the same network as a smartphone or web-based application can monitor or modify suspicious traffic. A handy command to send a text message to the phone of your choice. A teacher can use it to get a phone number linked to a specific account. From there, attackers on the same network can change the GPS coordinates the tracker is reporting or force the device to call a number of the attacker’s choosing and broadcast anything within range of its microphone. Other rules allow devices to be returned to their original factory settings, including a default password, or to install attacker-selected firmware.
Another command allows attackers to change the IP address of the server the attacker is talking to. Avast researchers used the vulnerability to set it up man-in-the-middle attack that allows them to completely control the device. From that point on, attackers will not need to be connected to the same network as the smartphone or web application. They will be able to view and edit all the text passed by their agent.
Avast
The researchers also concluded that all data traveling between the GSM network to the cloud server is not only encrypted but also unauthenticated. The only thing tying the device down was its IMEI. The researchers said they privately notified the seller of the T8 Mini GPS tracker of the vulnerabilities on June 24 and never received a response. Attempts by Ars to reach company representatives were unsuccessful.
In a blog post I plan to go live On Wednesday morning, Avast researchers identified 29 generic model names of a subset of the 600,000 Internet-connected hackers they detected using the default password. They are:
T58
A9
T8S
T28
TQ
A16
A6
3G
A18
A21
T28A
A12
A19
A20
A20S
S1
P1
FA23
A107
RomboGPS
PM01
A21P
PM02
A16X
PM03
WA3
P1-S
S6
S9
GPS trackers can provide security and peace of mind in the right cases, which at least require the full informed consent of the people being tracked. But Avast’s research shows how the capabilities of these devices can cut both ways and make users more vulnerable than if they didn’t use protection at all. People who have purchased one of the affected devices should stop using it immediately.