Concerned parents who strap GPS trackers to their kids to keep tabs on the youngsters may be inadvertently putting their offspring in danger. Hundreds of thousands of the gizmos ship with pathetic security, including a default password of 123456, allowing them to be potentially monitored by strangers, it is claimed.
White hats at Avast announced on Thursday they discovered 29 models of gadgets, designed to track their child wearers, had that weak default passcode. The watch-like devices are all made by Shenzen i365 in China, and sold under various brand names via Amazon at around $25 to $50 apiece.
These trackers typically connect to cellular networks using a built-in SIM card, and send their whereabouts to backend servers so that their locations can be observed by parents after logging into a web portal. To monitor one of these watches, you need a valid user number, derived from the gadget's unique serial number (the IMEI), and a password, which is probably still the factory default. Thus miscreants, armed with the factory default and commonly used passwords, can brute-force scan through ranges of IMEI numbers assigned to the trackers, and potentially log into portal accounts to snoop on kids.
And snoop is the right word: once into an account, you can see the kid's GPS coordinates, eavesdrop on the built-in microphone, access any photos on the device, and potentially even make a call to the child. Additionally, Avast reports, many of the devices send their telemetry to base in plain text over the internet, leaving families vulnerable even if they change the password from the default. This unencrypted data can be intercepted, spied on, and tampered with, by network eavesdroppers.
The security pros scanned a million account numbers, and said they found more than 600,000 vulnerable devices are in circulation. Avast, which was apparently stonewalled by Shenzen i365 when it tried to warn it of the flaws, reckons folks should just bin the GPS gear altogether.
"We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time," said Avast senior researcher Martin Hron. "We are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices."
European Commission orders mass recall of creepy, leaky child-tracking smartwatchREAD MORE
It is not just the trackers themselves that are vulnerable, said Team Avast. The accompanying mobile apps were also found to be moving tracking and account information across networks in plain text. More than 50 iOS and Android apps, at least some available as insecure downloads, can be used to monitor these GPS gizmos.
"Avast Threat Labs first analyzed the T8 Mini child tracker and found the companion mobile app is downloaded from an unsecured website, exposing the users’ information," the security biz wrote in a summary. "Further security issues involved user account information, which comes with an assigned ID number and default password of 123456. Design flaws in the trackers can also enable third-parties to 'spoof' (or fake) the user’s location, or access the microphone for eavesdropping."
Shenzen i365 did not respond to a request for comment on the report.
Avast said parents who wish to use GPS gear to track their kids' whereabouts would be well-advised not to scrimp on hardware, and do their homework to find a respected vendor, rather than go with equipment from an unknown company on Amazon or other markets.
"As parents, we are inclined to embrace technology that promises to help keep our kids safe," says Avast head of product delivery Leena Elias, "but we must be savvy about the products we purchase." ®