Researchers have found sober security vulnerabilities in over 600,000 GPS trackers available for sale on Amazon and other online retail merchants that have exposed individual data, including accurate real-time GPS coordinates.
Czech cyber-security firm Avast, which disclosed the vulnerabilities, said it clued-up the manufacturer about the flaws on June 24, 2019, but added that they never got a response to their repeated messages.
The trackers — 31 models in all that are made by Chinese IoT manufacturer Shenzhen i365 Tech — allowed individuals to keep tabs on their children’s’ whereabouts through a web portal and a companion app, while the trackers uploaded the location information to a cloud server that communicated with the apps.
But researchers noted this setup was stuffed with flaws. Not only was the information on the Android app and web portal sent to the server unencrypted (i.e. HTTP as opposed to HTTPS), the usernames were based on the trackers’ International Mobile Equipment Identity (IMEI) number, with the default password being “123456.”
Avast warned that hackers can use this information to interrupt data and issue unauthorized commands, using the tracker to message and call arbitrary phone numbers, thereby letting them spy on conversations around the tracker without the user’s knowledge.
Also, this can permit a malicious individual to take over victims’ accounts by going through the trackers’ International Mobile Equipment Identity (IMEI) codes in sequence and the same password “123456,” efficiently locking them out.
The 32 models of GPS trackers sold by Shenzen i365
Conveniently for the threat actor, the account settings make it probable for the attacker to force the tracker to send an SMS to a phone number of a phone which permits him to tie the ID of a tracker with its phone number.
This is not the first time a flaw of this nature has been exposed. In May, UK Cyber-security firm Fidus Information Security exposed a vulnerability in a well-liked GPS tracker used by elderly patients that can be tricked into sending its real-time location.
As a consequence, the UK is considering laws that would authorize internet-connected gadgets to be sold with a unique password and not a default.
Image Credit : TheNextWeb
