Manufacturers left a default password of ‘123456’ on GPS trackers causing security risk

Over 30 models of commonly used GPS trackers for pets, kids, and the elderly have been shown to be compromised due to manufacturers setting them up with a standard ‘123456’ password.

Security researchers at Czech cyber-security firm Avast have reported that at least 600,000 GPS trackers manufactured are using the same default password of ‘123456’, and that poses a danger to both customers and the manufacturing company.

Hackers can easily abuse this password to hijack users’ accounts. By using the default password to access the GPS tracker, the hackers can spy on conversations near the GPS tracker, spoof the tracker’s real location, or get the tracker’s attached SIM card phone number for tracking via GSM channels.

The issues were found with GPS trackers manufactured by Shenzhen i365-Tech. Some GPS trackers were also manufactured by Shenzhen i365-Tech, but sold as white-label products that bear the logos of other companies.

It was found that all of the models shared the same backend infrastructure, which consisted of a cloud server to which the GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker’s location, and a similar mobile app, which also connected to the same cloud server that the GPS trackers reported to.

Unfortunately, this entire infrastructure provided to be full of holes. Avast detailed several issues in its report and the biggest issue was the fact that all user accounts (whether from the mobile app or the web panel) relied on easy to guess user IDs and passwords.

All user IDs were based on the GPS tracker’s IMEI (International Mobile Equipment Identity) code and were in sequential order. The passwords were, as previously stated, the same for all devices – ‘123456’.

This would allow a hacker to launch automated attacks again Shenzhen i365-Tech’s cloud server by going through all user ID’s and using the same ‘123456’ password in order to take over users’ accounts.

It’s possible for users to change the default password once they log into their account for the first time, but Avast found that during a scan of over four million user IDs, they found that more than 600,000 accounts were still using the default password.

As many customers purchase these devices in order to track pets, kids, the elderly, and much more, an attacker who gains access to one of these customer accounts can track victims, but also spoof the tracker’s location in order to kidnap or steal a valuable product without the owner noticing.

These devices also come with microphones and SIM cards so that children and the elderly can place SOS calls to authorities or family members. Attackers can easily abuse this feature by placing a phone call to their own number, answering the call, and then quietly spying on the user of the GPS tracker.

Consumers aren’t the only ones at risk. Accounts on the cloud service are created as soon as the GPS trackers are manufactured, meaning that if a malicious competitor hacked into their system, they could hijack these accounts before the devices are even sold and change their passwords. That would effectively lock accounts and create customer support problems for Shenzhen i365-Tech and its resellers later down the road.

Avast’s research only looked at four million user IDs, so the actual number of GPS trackers with default passwords is most likely considerably higher.

The Shenzhen i365-Tech company has not yet addressed this issue, so if you own one of the 30+ GPS tracker models listed on Avast’s report, you should change your account password as soon as possible. You can find Avast’s report here: https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648