An estimated 600,000 GPS tracking devices for sale on Amazon and other large online merchants for $25–$50 have been found vulnerable to a handful of dangerous vulnerabilities that may have exposed user’s real-time locations, security researchers have claimed.
Cybersecurity researchers from Avast discovered that 29 models of GPS trackers made by Chinese technology company Shenzhen i365 for keeping tabs on young children, elderly relatives, and pets contain a number of security vulnerabilities.
Moreover, all over half a million tracking devices were shipped with the same default password of “123456,” leaving an opportunity for attackers to easily access tracking information for those who never changed the default password.
Vulnerabilities in GPS Tracking Devices
The reported GPS tracking device vulnerabilities could enable remote attackers with just an Internet connection to:
- track real-time GPS coordinates of the device’s wearer,
- falsify location data of the device to give an inaccurate reading, and
- access the devices’ microphone for eavesdropping.
Most of the discovered vulnerabilities rely on the fact that the communication between ‘GPS trackers and the Cloud,’ ‘Cloud and the device’s companion mobile Apps,’ and ‘Users and the device’s web-based application’—all use unencrypted plain text HTTP protocol, allowing MiTM attackers to intercept exchanged data and issue unauthorized commands.
“All the communications in the web application go over HTTP. All the JSON requests are again unencrypted and in plaintext,” researchers explain in a detailed report.
“You can make the tracker call an arbitrary phone number and once connected, you can listen through the tracker the other party without their knowledge. The communication is text-based protocol, and the most concerning thing is the lack of authorization. The whole thing works just by identifying the tracker by its IMEI.”
Spying On Real-Time GPS Location With An SMS
Besides this, researchers also found that remote attackers can also obtain real-time GPS coordinates of a target device just by sending an SMS to the phone number associated with the SIM card (inserted into the device) which provides DATA+SMS capabilities to the device.
Though attackers first need to know the associated phone number and password of the tracker to carry out this attack, researchers said one can exploit cloud/mobile app related flaws to command the tracker send an SMS to an arbitrary phone number on behalf of itself, allowing an attacker to obtain the phone number of the device.
Now, with access to the device’s phone number and password being ‘123456’ for almost all devices, the attacker can use the SMS as an attack vector.
Analysis of the T8 Mini GPS Tracker Locator by the researchers also found that its users were directed to an unsecured website to download the device’s companion mobile app, exposing the users’ information.
Over Half-A-Million People Using Affected GPS Trackers
The affected models of GPS trackers include T58, A9, T8S, T28, TQ, A16, A6, 3G, A18, A21, T28A, A12, A19, A20, A20S, S1, P1, FA23, A107, RomboGPS, PM01, A21P, PM02, A16X, PM03, WA3, P1-S, S6, and S9.
Though the manufacturer of these GPS trackers, Shenzhen i365, is based in China, Avast’s analysis found that these GPS trackers are widely used in the United States, Europe, Australia, South America, and Africa.
The researchers said it privately notified the vendor of the critical security vulnerabilities on June 24 and reached the company out multiple times, but never got a response.
Martin Hron, senior researcher at Avast, said:
“We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices.”
Researchers also advised people to do part of their research and choose a secured device from a respected vendor, rather than go for any cheap equipment from an unknown company on Amazon, eBay, or other online markets.