Track the Trackers: GPS Devices Fail Security TestsAnyone Can Follow Devices Tracking Children, Elderly and Pets, Avast Warns
A widely used brand of GPS location-tracking devices - for keeping tabs on children, elderly relatives and pets - have security flaws that could allow anyone with an internet connection to track the devices' real-time location and historical movements, warns security firm Avast.
Avast reports that nearly 30 models of GPS trackers - most manufactured by Shenzhen i365 Tech - have serious security vulnerabilities that could enable attackers to track or spoof the location of the devices. The security firm estimates that 600,000 vulnerable devices are in use with the default "123456" password, and it warns that all data they send to the cloud is unencrypted and could be intercepted by attackers.
In addition, 50 mobile apps that rely on the underlying platform for interfacing with the GPS location-tracking devices have been downloaded more than 500,000 times, Avast says. The apps also facilitate voice and SMS communications using the devices.
Avast's researchers note that Shenzhen i365 Tech isn't the only vendor in the world that's building poorly secured location-tracking devices. They note that the security flaws they identified mirror much more widespread GPS tracker and internet of things device security shortcomings.
Indeed, criminals as well as nation-state intelligence agencies continue to use internet-connected devices - including consumer IoT equipment - as a springboard for attacks and reconnaissance, including launching distributed-denial-of-service disruptions as well as spying on targets (see: Microsoft: Russia Probes Office Printers, VOIP Phones).
Real-Time Tracking of People, Pets, Things
Looking at the Shenzhen i365 Tech devices, the T8 mini GPS Tracker is marketed by the company as a way to keep track of relatives, pets, and possessions, including luggage; the FA23 waterproof ip67 kids gps watch is marketed as a way for parents to track their children; the P9 Fashion Mini GPS Tracker is aimed at pet owners; and the A10 GPS Tracker is designed for tracking cars, boats or other bulky physical assets.
All of the devices promise real-time location tracking as well as historical tracking of location data via a cloud-based portal for three months.
Research into the devices was led by Martin Hron, a senior researcher at Avast, who recommends that consumers opt for devices from other companies that have a more reliable security reputation.
“We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices,” Hron writes in a research report.
Hron says his research kicked off after he obtained one of the devices and noticed that the on-boarding process was handled via HTTP, rather than HTTPS. "It was a coincidence as these trackers are currently available on Amazon in U.S. and were recommended at that time," he tells Information Security Media Group.
China-based Shenzhen i365 Tech didn't immediately respond to a request for comment about Avast's research, whether it could confirm the flaws and if so, what its strategy and timeline was for dealing with them.
Avast says it found these security vulnerabilities:
- Default passwords: All devices ship with a user-changeable password set to "123456," and Avast says at least 600,000 users haven't changed it.
- Guessable usernames: While each device ships with a unique username, it's derived from the device's International Mobile Equipment Identity number, which researchers say allows them to easily predict and enumerate the username of any Shenzhen i365 Tech device. "Combined with the fixed password, practically any device following this sequence of IMEI numbers would be able to be broken into with little effort," Avast warns.
- HTTP: Onboarding devices via the cloud portal relies on HTTP, rather than the more secure HTTPS, which leaves sensitive information including account ID numbers and passwords exposed.
- No encryption: All communications between the devices and the cloud are sent unencrypted in plaintext format.
- Mobile app risks: All communications between the cloud and mobile devices running Shenzhen i365 Tech's Aibeile companion app - available for iOS and Android - get sent via a nonstandard HTTP port - TCP:8018 - in unencrypted form, meaning they could be easily intercepted.
In addition to location-tracking capabilities, the devices also have the ability to call a phone number, so an attacker potentially could eavesdrop on a conversation. They also have the ability to send an SMS message, so an attacker could potentially reroute SMS messages via an attacker-controlled server and send a URL to the tracker that would cause it to install custom firmware, which an attacker could use to update the device with new functionality or install a backdoor, Avast warns.
Avast's Leena Elias, head of product delivery, says no internet-connected devices - whether branded as being "smart" or not - should be brought into the home unless they've been proven to be secure (see: Don't Hug These Internet-Connected Stuffed Toys).
“As parents, we are inclined to embrace technology that promises to help keep our kids safe, but we must be savvy about the products we purchase,” she says. “Beware of any manufacturers that do not meet minimum security standards or lack third-party certifications or endorsements. Shop only with brands you trust to keep your data safe - the extra cost is worth the peace of mind.”
But researchers at Avast acknowledge that finding securely developed IoT devices is challenging. "Our research still continues - a follow-up article is coming soon - but right now, we can say that this particular vendor is only a drip in the ocean of white-labeled products," Avast's Hron tells ISMG. "Purchasers should always research not only the product but also the vendor by finding the vendor’s webpage, looking for available support and contacts. If you see unsecured webpages running through HTTP - and not HTTPS - it’s a big red flag."