Over 600,000 China-made GPS trackers have '123456' as default password
The trackers, advertised for children and the elderly, are being used in the US, Europe and elsewhere. And they've got some serious security issues.
Just so we're all on the same page here, "123456" isn't a good default password.
Chinese-made GPS trackers, which can track you anywhere you go, are marketed as a way to keep children and senior citizens safe. But security researchers have found that the devices, which are being used in the US, Europe and other regions, have a handful of dangerous vulnerabilities.
For starters, the T8 Mini GPS trackers from Shenzhen i365 Tech have "123456" as their default password. They were all shipped with the same password, and that password extends to nearly 30 other models in the company's lineup, Martin Hron, senior researcher with cybersecurity company Avast, said Thursday.
Shenzhen i365 noted that the default password isn't permanent.
"The default password 123456 can easily be changed by the user at the first time they do unboxing," Allenli Kyao, Shenzhen i365's director of international sales, said Friday in an email.
Read more: The best password managers for 2019 and how to use them
Internet of things devices are often criticized for their weak security standards, with lawmakers worrying that the gadgets are cybersecurity disasters waiting to happen. Default passwords are a common flaw for connected gadgets. There's even a website that displays footage from home security cameras whose passwords haven't been reset by the people who bought the products. The problem's so bad that California passed a law prohibiting IoT devices from having default passwords.
Avast estimated that more than 600,000 GPS trackers from Shenzhen i365 Tech in use have this major security flaw. Once hackers figure out the password, they have complete access to people's real-time location data.
"When I first saw it, I thought to myself: 'Oh, not again,'" Hron said in a statement. "So I wasn't surprised, considering the fact that default password is the No. 1 vulnerability of IoT devices. What is different in this case is the scale -- the fact that even the username is quite predictable and also the very personal nature of data being exposed."
An advertisement for the GPS trackers showed the default password.
Though the manufacturer is based in China, Avast's analysis found that these GPS trackers are being used in the US, across Europe, Australia, South America and Africa.
On the product's website, the GPS tracker is advertised for children, the elderly, pets and luggage, and is touted as being able to track people throughout a global network. The default password is also posted in the advertisement.
Even if people did change their passwords after buying the devices, other vulnerabilities exist, Avast said.
All the requests from the GPS tracker's apps are unencrypted, which means anyone on the same Wi-Fi network can take control of the device. This could, for instance, let potential hackers hijack the tracker's microphone and eavesdrop on conversations. Sensitive data from the device, including location coordinates, is unencrypted when it's sent to online servers, Avast said.
Avast said it reached out multiple times to Shenzhen i365 Tech in June to warn it about the critical security issues but never heard back.
"We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices," Hron said.
Originally published on Sept. 5.
Updated on Sept. 6: Adds response from Shenzhen i365.