Around 600,000 GPS trackers manufactured by a Chinese company uses the same default password of “123456.” This was disclosed by the security researchers from Czech cyber-security firm Avast.
The researchers state that the hackers can misuse this password to hijack users’ accounts, from where they can spy on conversations near the GPS tracker, spoof the tracker’s real location, or get the tracker’s attached SIM card phone number for tracking via GSM channels.
These issues were found in T8 Mini, a GPS tracker manufactured by the Chinese IoT device maker, Shenzhen i365-Tech.
This issues also affected more than 30 other models of GPS trackers, all manufactured by the same vendor, and some are also sold as white-label products, having the logos of other companies.
All models had the same backend infrastructure, which consisted of a cloud server to which GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker’s location, and also a mobile app connected to the same cloud server.
This infrastructure also had several issues and the biggest one being all user accounts depended on a user ID and a password which was very easy to guess.
The user IDs were based on the GPS tracker’s IMEI (International Mobile Equipment Identity) code and was sequential and the password was the same for all devices which is 123456.
This makes it easier for an attacker to launch automated attacks against Shenzhen i365-Tech’s cloud server by going through all user ID’s one by one, and using the same 123456 passwords, and take over users’ accounts.
It is possible for the users to change the default after logging into their account for the first time. But it is found that more than 600,000 accounts were still using the default password.
Most of the customers use this device to track pets, elderly family members, kids, cars, or other valuable items. If an attacker gain access to any of the customer accounts, they can not only track the victims, but also spoof the tracker’s location to kidnap or steal a valuable product without the owner noticing it.
Besides, these devices come with microphones and SIM cards so children or elderly members can place SOS calls to authorities or family members.
Avast states that account hackers can abuse this feature to make a phone call to their own number, answer the call, and then spy on the GPS tracker owner.
It is important to note that these default passwords are dangerous not only for the users but also for the vendors.
The accounts on the cloud service are created when the GPS trackers are manufactured. A malicious actor can hijack these accounts before the devices are sold and change their passwords, thereby locking accounts and creating customer support problems for Shenzhen i365-Tech and its resellers.
Avast’s research looked at four million user IDs only and so the actual number of GPS trackers with default passwords is expected to be higher than that.
The manufacturer however did not respond to Avast’s emails when the company tried to warn them. Those users who own any one of the 30+ GPS tracker models are advised to change their account passwords at the earliest.