Security vulnerabilities in 30 GPS tracker models targeted at kids, seniors and pets can expose data including people's real-time GPS coordinates, according to a blog post Thursday from security firm Avast. Design flaws also allow hackers to potentially access device microphones or spoof a location, Avast found, highlighting the security and privacy struggles consumers still face when it comes to smart devices.
The T8 Mini GPS tracker from Chinese manufacturer Shenzhen i365 Tech transmits requests from its web application in plain text, for example, which means the device is unencrypted and not secure. This could allow a malicious third party to do things like eavesdrop through the microphone, use SMS to reroute the device to another service to gain full control and spoof information sent to the cloud or share a URL to the device, allowing a remote attacker to infect it with malware from afar.
Some 29 other models, primarily from the same manufacturer and sold on Amazon, eBay and Alibaba, contain the same insecure infrastructure, Avast's researchers found. While all the models studied were sold by Shenzen i365, some were being sold under different product names -- known as "white labeling."
Along with the 30 GPS trackers examined in this post, Avast also uncovered 50 different mobile apps sharing the same unencrypted platform. The researchers estimated that there are more than 600,000 devices in use with default "123456" passwords, and around 500,000 downloads of those mobile apps.
The firm notified Shenzhen i365 Tech about these flaws, and received no response, according to the post.
"The default password 123456 can easily be changed by the user at the first time they do unboxing," Allenli Kyao, director of international sales for Shenzhen i365 Tech, said in an email.
Smart device security concerns
While this information is disturbing for users of these particular devices, the problem goes far beyond any single vendor, the researchers noted, pointing to larger privacy and security issues with the internet of things (IoT) and smart devices -- particularly frightening when it comes to devices aimed at children. For example, in August, flaws uncovered in a LeapPad Ultimate tablet made for kids age 3 to 6 could have allowed hackers to pinpoint a child's location and send them messages. Security flaws were also found in recent years in the internet-connected Hello Barbie doll and stuffed animals CloudPets.
Smart devices continue to spread rapidly worldwide: By 2020, there will be more than 20.4 billion connected devices worldwide, Gartner predicts.
Lawmakers are attempting to step in to protect consumer security when it comes to IoT devices: Last year, California became the first US state to pass a law stating that any smart device manufacturer must build in security features that "protect the device and any information contained therein from unauthorized access, destruction, use, modification or disclosure."
While a federal law has been proposed in the US, there has been little movement. Until any law goes into effect, smart device security is left in the hands of the manufacturer. This means the trade-off for the convenience of many tech tools, particularly among smart devices, is often increased security and privacy risks.
How to choose the safest smart devices
The Avast researchers stated in their post that if you want to purchase a smart device and ensure your security, you must do your research on the security protocols built into a given device -- a high bar for most consumers to hurdle -- particularly when it is a low-cost device. Opt for products from brands that have built security into the product design, specifically secure login and strong data encryption protections. And whenever you set up an off-the-shelf device, you should change the default admin passwords immediately.
"As parents, we are inclined to embrace technology that promises to help keep our kids safe, but we must be savvy about the products we purchase," Leena Elias, head of product delivery for Avast, said in a press release. "Beware of any manufacturers that do not meet minimum security standards or lack third-party certifications or endorsements. Shop only with brands you trust to keep your data safe -- the extra cost is worth the peace of mind."
A growing number of consumers (79%, according to Parks & Associates research), are concerned about privacy in their smart devices. CNET has made privacy and security a much bigger factor when reviewing and rating the best smart home devices. We now have a senior editor, Ry Crist, who has a special focus on security and privacy across the smart home. So, stayed tuned to CNET for more on this important topic.
Originally published Sept. 5.
Update, Sept. 6: Adds comment from Shenzhen i365 Tech.