Manufacturers left a default password of
‘123456’ on GPS trackers causing security risk
Over 30 models of commonly used GPS trackers for pets,
kids, and the elderly have been shown to be compromised due to manufacturers
setting them up with a standard ‘123456’ password.
Security researchers at Czech cyber-security firm Avast
have reported that at least 600,000 GPS trackers manufactured are using the
same default password of ‘123456’, and that poses a danger to both customers
and the manufacturing company.
Hackers can easily abuse this password to hijack users’
accounts. By using the default password to access the GPS tracker, the hackers
can spy on conversations near the GPS tracker, spoof the tracker’s real
location, or get the tracker’s attached SIM card phone number for tracking via
The issues were found with GPS trackers manufactured by Shenzhen
i365-Tech. Some GPS trackers were also manufactured by Shenzhen i365-Tech, but
sold as white-label products that bear the logos of other companies.
It was found that all of the models shared the same backend
infrastructure, which consisted of a cloud server to which the GPS trackers
reported, a web panel where customers logged in via their browsers to check the
tracker’s location, and a similar mobile app, which also connected to the same
cloud server that the GPS trackers reported to.
Unfortunately, this entire infrastructure provided to be full of
holes. Avast detailed several issues in its report and the biggest issue was
the fact that all user accounts (whether from the mobile app or the web panel)
relied on easy to guess user IDs and passwords.
All user IDs were based on the GPS tracker’s IMEI (International
Mobile Equipment Identity) code and were in sequential order. The passwords
were, as previously stated, the same for all devices – ‘123456’.
This would allow a hacker to launch automated attacks again
Shenzhen i365-Tech’s cloud server by going through all user ID’s and using the
same ‘123456’ password in order to take over users’ accounts.
It’s possible for users to change the default password once they
log into their account for the first time, but Avast found that during a scan
of over four million user IDs, they found that more than 600,000 accounts were
still using the default password.
As many customers purchase these devices in order to track pets,
kids, the elderly, and much more, an attacker who gains access to one of these
customer accounts can track victims, but also spoof the tracker’s location in
order to kidnap or steal a valuable product without the owner noticing.
These devices also come with microphones and SIM cards so that
children and the elderly can place SOS calls to authorities or family members.
Attackers can easily abuse this feature by placing a phone call to their own
number, answering the call, and then quietly spying on the user of the GPS
Consumers aren’t the only ones at risk. Accounts on the cloud
service are created as soon as the GPS trackers are manufactured, meaning that
if a malicious competitor hacked into their system, they could hijack these
accounts before the devices are even sold and change their passwords. That
would effectively lock accounts and create customer support problems for
Shenzhen i365-Tech and its resellers later down the road.
Avast’s research only looked at four million user IDs, so the
actual number of GPS trackers with default passwords is most likely
RHYNO Networks was designed to meet the needs of the IT marketplace. Specifically, to offer businesses skilled, timely IT services in order for them to focus on their business. We’re dedicated to the principles of Reliability, Innovation and Customer Service.