Stalking cheap Chinese GPS child trackers is as easy as 123... 456 – because that's the default password on 600k+ of these gizmos

It's 2019 and, like, duh, insecurity comes as standard

32 Reg comments Got Tips?

Concerned parents who strap GPS trackers to their kids to keep tabs on the youngsters may be inadvertently putting their offspring in danger. Hundreds of thousands of the gizmos ship with pathetic security, including a default password of 123456, allowing them to be potentially monitored by strangers, it is claimed.

White hats at Avast announced on Thursday they discovered 29 models of gadgets, designed to track their child wearers, had that weak default passcode. The watch-like devices are all made by Shenzen i365 in China, and sold under various brand names via Amazon at around $25 to $50 apiece.

These trackers typically connect to cellular networks using a built-in SIM card, and send their whereabouts to backend servers so that their locations can be observed by parents after logging into a web portal. To monitor one of these watches, you need a valid user number, derived from the gadget's unique serial number (the IMEI), and a password, which is probably still the factory default. Thus miscreants, armed with the factory default and commonly used passwords, can brute-force scan through ranges of IMEI numbers assigned to the trackers, and potentially log into portal accounts to snoop on kids.

And snoop is the right word: once into an account, you can see the kid's GPS coordinates, eavesdrop on the built-in microphone, access any photos on the device, and potentially even make a call to the child. Additionally, Avast reports, many of the devices send their telemetry to base in plain text over the internet, leaving families vulnerable even if they change the password from the default. This unencrypted data can be intercepted, spied on, and tampered with, by network eavesdroppers.

The security pros scanned a million account numbers, and said they found more than 600,000 vulnerable devices are in circulation. Avast, which was apparently stonewalled by Shenzen i365 when it tried to warn it of the flaws, reckons folks should just bin the GPS gear altogether.

"We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time," said Avast senior researcher Martin Hron. "We are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices."


European Commission orders mass recall of creepy, leaky child-tracking smartwatch


It is not just the trackers themselves that are vulnerable, said Team Avast. The accompanying mobile apps were also found to be moving tracking and account information across networks in plain text. More than 50 iOS and Android apps, at least some available as insecure downloads, can be used to monitor these GPS gizmos.

"Avast Threat Labs first analyzed the T8 Mini child tracker and found the companion mobile app is downloaded from an unsecured website, exposing the users’ information," the security biz wrote in a summary. "Further security issues involved user account information, which comes with an assigned ID number and default password of 123456. Design flaws in the trackers can also enable third-parties to 'spoof' (or fake) the user’s location, or access the microphone for eavesdropping."

Shenzen i365 did not respond to a request for comment on the report.

Avast said parents who wish to use GPS gear to track their kids' whereabouts would be well-advised not to scrimp on hardware, and do their homework to find a respected vendor, rather than go with equipment from an unknown company on Amazon or other markets.

"As parents, we are inclined to embrace technology that promises to help keep our kids safe," says Avast head of product delivery Leena Elias, "but we must be savvy about the products we purchase." ®


Keep Reading

Stop asking for Amazon, Google and Microsoft cloud with 'no justification': US Library of Congress told to drop its 'brand-name'-tastic RFP

Oracle wins protest after agency failed to get it kicked out for not being a reseller

Big Tech to face its Ma Bell moment? US House Dems demand break-up of 'monopolists' Apple, Amazon, Facebook, Google

'These once scrappy, underdog startups have become the kinds of monopolies we last saw in the era of oil barons and railroad tycoons'

Amazon, Apple, Google, IBM, Microsoft speech-to-text AI systems can't understand black people as well as whites

Lack of varied training data to blame, say researchers

UK govt publishes contracts granting Amazon, Microsoft, Google and AI firms access to COVID-19 health data

Questions linger over involvement of biz linked to Dominic Cummings and Vote Leave campaign

Not one to be outdone by Microsoft, Apple's cloud fell over too. Unlike Microsoft, it hasn't said what happened

Apple TV, iCloud Mail, iWork for iCloud, App Store and more go TITSUP*

If you're on invite-only tech-testing scheme, take care with Amazon's Alexa-powered answer to Google's Glass

iFixit reveals repair won't be trivial

Google, Amazon pass on UK Digital Services Tax by hiking ad prices, fees at same rate the government takes

Which means you get to pay, because cost of ads, sellers' fee hikes are built into prices, so once the tech titans charge more ... you get the drift

At historic Apple, Amazon, Facebook, Google CEOs hearing, congressmen ramble, congresswomen home in on tech market abuse

Analysis We watched six hours of congressional hearings so you didn’t have to

Biting the hand that feeds IT © 1998–2020