Over 600,000 GPS Trackers of 29 Different Models Expose User Information Including Real-time Location

• Researchers uncovered at least 600,000 GPS trackers that are having the same default password of ‘123456’.
• Researchers also determined that all the communication data travels unencrypted from the GSM network to the cloud server.

What is the problem?

Researchers from Avast have identified that GPS child trackers manufactured by Shenzhen i365 expose user information.

Key findings

• Researchers uncovered that at least 29 models of GPS trackers contain serious security flaws that expose user information including real-time GPS coordinates.
• Avast researchers examined the T8 Mini child tracker and found that its companion mobile app is downloaded from an unsecured website.
• They also found out that at least 600,000 devices are having the same default password of ‘123456’.
• These vulnerabilities could allow an attacker to hijack user accounts, spoof users’ locations, or access the microphone to spy on conversations.
• Furthermore, researchers determined that all the communication data travels unencrypted from the GSM network to the cloud server.

Researchers noted that around 50 GPS tracking mobile applications available on both Google Play and iOS App Store share the same unencrypted API platform.

“As you can see there are strong indicators that this issue goes far beyond the scope of one vendor. We found similar APIs being used by different applications also found models that are not being made by this particular vendor that is linked to this cloud infrastructure,” researchers said in their report.

Vendor’s response

On June 24, 2019, Avast researchers notified Shenzhen i365 about the vulnerabilities, however, they did not hear back from the vendor.

We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Martin Hron, a senior researcher at Avast said.