Recent research has raised significant concerns regarding the security of widely available GPS tracking devices marketed to ensure the safety of children, elderly individuals, and pets. Cybersecurity experts from Avast have identified vulnerabilities in approximately 600,000 devices sold on major platforms like Amazon, which are priced between $25 and $50. These weaknesses may allow malicious actors to track users’ real-time locations, potentially placing them at risk.
The vulnerabilities have been traced back to 29 models produced by Shenzhen i365, a Chinese tech company. Researchers discovered that many of these devices had been shipped with a default password of “123456,” a serious oversight that could expose users’ private information to attackers, particularly those who do not change this default setting.
The researchers explained that these vulnerabilities could allow remote attackers to monitor the real-time GPS coordinates of device users, falsify their location data, and even access the device’s microphone for eavesdropping. The underlying issue stems from the unencrypted communication protocols used between these GPS trackers, cloud services, and companion mobile applications. Such setups enable man-in-the-middle (MiTM) attackers to intercept communications, execute unauthorized commands, and compromise user privacy.
Avast’s research highlights a critical lack of security measures, emphasizing that all data transmitted among the devices, cloud services, and user applications employs plain HTTP protocols rather than secure HTTPS. This oversight leaves a wide opening for interception and manipulation of sensitive data. The implications of such vulnerabilities are alarming, as attackers could not only access location data but also potentially exploit the devices to make unauthorized calls, utilizing the device’s microphone without users’ knowledge.
In another troubling discovery, the researchers revealed that remote attackers could retrieve the real-time GPS coordinates of a target device simply by sending an SMS to the phone number associated with the SIM card embedded within a device. If an attacker manages to exploit cloud-related vulnerabilities, they may compel the tracker to send an SMS to a number of their choosing, thus uncovering the device’s associated phone number.
The affected devices—including various models like T58, A9, T8S, and others—are notably used not only in China but also across the United States, Europe, and beyond. Despite reaching out multiple times to Shenzhen i365 regarding the identified vulnerabilities since June 24, the security researchers report that there has been no response. Martin Hron, a senior researcher at Avast, articulated the necessity of public awareness surrounding these vulnerabilities. He emphasized the importance of opting for secure devices from reputable vendors instead of purchasing low-cost options from unknown brands.
In light of these revelations, the MITRE ATT&CK framework can be instrumental in understanding the potential tactics employed by attackers in these scenarios. Initial access tactics are evident, as attackers exploit weak default passwords. Persistence methods could also be applied as attackers configure devices to maintain access. Furthermore, privilege escalation techniques may come into play if unauthorized command executions take place.
In summary, the findings underscore the pressing need for consumers to be vigilant in selecting GPS tracking devices. Business owners, in particular, should recognize that utilizing insecure devices could pose a significant threat not only to personal safety but also to organizational security. As the cybersecurity landscape evolves, staying informed of potential vulnerabilities remains an essential practice for maintaining safety and security in both professional and personal domains.