27 September 2023

Off track: How GPS trackers are taking their users for a ride

Start the conversation

Ravie Lakshmanan* says researchers have found serious security vulnerabilities in over 600,000 GPS trackers sold online.


Image: Tero Vesalainen

Researchers have found serious security vulnerabilities in over 600,000 GPS trackers available for sale on Amazon and other online retail merchants that may have exposed user data, including exact real-time GPS coordinates.

Czech cybersecurity firm Avast, which disclosed the vulnerabilities, said it informed the manufacturer about the flaws on 24 June, but added they never got a response to their repeated messages.

The trackers — 31 models in all that are made by Chinese Internet of Things (IoT) manufacturer Shenzhen i365 Tech — allowed users to keep tabs on their children’s whereabouts through a companion app and a web portal, while the trackers uploaded the location information to a cloud server that communicated with the apps.

But researchers noted this setup was replete with flaws.

Not only was the information on the web portal and the Android app sent to the server unencrypted (i.e. HTTP as opposed to HTTPS), the usernames were based on the trackers’ IMEI (International Mobile Equipment Identity) number, with the default password being “123456”.

Avast warned that hackers can use this information to intercept data and issue unauthorised commands, using the tracker to call and message arbitrary phone numbers, thereby letting them spy on conversations around the tracker without the user’s knowledge.

In addition, this can also allow a malicious user to take over victims’ accounts by going through the trackers’ IMEI codes in sequence and the same password, “123456”, effectively locking them out.

The attacker can even get the real-time GPS coordinates by just sending an SMS to the phone number associated with the SIM card that’s inserted into the tracker.

Conveniently for the threat actor, the account settings make it possible for the attacker to force “the tracker [to] send an SMS to a phone number of a phone in his possession which allows him to tie the ID of a tracker with its phone number”.

Scanning a random sample of four million sequential IMEI numbers, the researchers zeroed in on at least 600,000 devices still in use with default passwords, out of which over 167,000 were locatable.

Although the trackers were manufactured in China, Avast found the trackers to be widely used in Europe, South Africa, Australia, Brazil, the Middle East, and the US.

This is not the first time a flaw of this nature has been revealed.

Back in May, UK cybersecurity firm Fidus Information Security revealed a vulnerability in a popular GPS tracker used by elderly patients that can be tricked into sending its real-time location simply by sending it a text message with a specific command.

As a consequence, the UK is considering laws that would mandate internet-connected gadgets to be sold with a unique password, and not a default.

GPS tracking devices are often used for a variety of purposes, from locating family members and pets to cars and valuables such as keys.

Given that the issue exists to this day, it’s yet another cautionary reminder as to why you should change default passwords.

* Ravie Lakshmanan is an author at The Next Web.

This article first appeared at thenextweb.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.