Stalking cheap Chinese GPS child trackers is as easy as 123... 456 – because that's the default password on 600k+ of these gizmos

It's 2019 and, like, duh, insecurity comes as standard

Concerned parents who strap GPS trackers to their kids to keep tabs on the youngsters may be inadvertently putting their offspring in danger. Hundreds of thousands of the gizmos ship with pathetic security, including a default password of 123456, allowing them to be potentially monitored by strangers, it is claimed.

White hats at Avast announced on Thursday they discovered 29 models of gadgets, designed to track their child wearers, had that weak default passcode. The watch-like devices are all made by Shenzen i365 in China, and sold under various brand names via Amazon at around $25 to $50 apiece.

These trackers typically connect to cellular networks using a built-in SIM card, and send their whereabouts to backend servers so that their locations can be observed by parents after logging into a web portal. To monitor one of these watches, you need a valid user number, derived from the gadget's unique serial number (the IMEI), and a password, which is probably still the factory default. Thus miscreants, armed with the factory default and commonly used passwords, can brute-force scan through ranges of IMEI numbers assigned to the trackers, and potentially log into portal accounts to snoop on kids.

And snoop is the right word: once into an account, you can see the kid's GPS coordinates, eavesdrop on the built-in microphone, access any photos on the device, and potentially even make a call to the child. Additionally, Avast reports, many of the devices send their telemetry to base in plain text over the internet, leaving families vulnerable even if they change the password from the default. This unencrypted data can be intercepted, spied on, and tampered with, by network eavesdroppers.

The security pros scanned a million account numbers, and said they found more than 600,000 vulnerable devices are in circulation. Avast, which was apparently stonewalled by Shenzen i365 when it tried to warn it of the flaws, reckons folks should just bin the GPS gear altogether.

"We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time," said Avast senior researcher Martin Hron. "We are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices."


European Commission orders mass recall of creepy, leaky child-tracking smartwatch


It is not just the trackers themselves that are vulnerable, said Team Avast. The accompanying mobile apps were also found to be moving tracking and account information across networks in plain text. More than 50 iOS and Android apps, at least some available as insecure downloads, can be used to monitor these GPS gizmos.

"Avast Threat Labs first analyzed the T8 Mini child tracker and found the companion mobile app is downloaded from an unsecured website, exposing the users’ information," the security biz wrote in a summary. "Further security issues involved user account information, which comes with an assigned ID number and default password of 123456. Design flaws in the trackers can also enable third-parties to 'spoof' (or fake) the user’s location, or access the microphone for eavesdropping."

Shenzen i365 did not respond to a request for comment on the report.

Avast said parents who wish to use GPS gear to track their kids' whereabouts would be well-advised not to scrimp on hardware, and do their homework to find a respected vendor, rather than go with equipment from an unknown company on Amazon or other markets.

"As parents, we are inclined to embrace technology that promises to help keep our kids safe," says Avast head of product delivery Leena Elias, "but we must be savvy about the products we purchase." ®

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021