600,000 GPS child trackers found vulnerable to location tracking
Today the use of trackers has become widespread, particularly due to the fine balance found between their ease of use and the security benefits attained. They can help you track your loved ones in real-time through GPS technology and hence be their safe keeper even from far away.
However, a crucial process among this is that the location transmission should be secure in itself otherwise attackers can benefit from it. For example, an attacker may use one’s location to know when they are at their most vulnerable and then attack them.
Keeping these potential risks in mind, Avast set out to study a variety of GPS tools found on the internet and how secure they are. For their first time, they chose a device named T8 Mini GPS Tracker which can be found on Amazon, Alibaba, and eBay among others.
To start with, the tracker offers a website and app to manage it. Upon accessing the site, it apparently did not have an SSL certificate which means that all communication over the site was unencrypted. Consequently, if you used your username and password to log in, it could be sniffed by a black hat hacker who could use it gain access to your account and do a range of malicious things including infecting the device with malware and spoofing information.
Secondly, one can log in to the portals using an ID and a default password: 123456 for this device. The ID No. can be obtained by looking up numbers displayed on a sticker attached to the tracker.
There are 3 security concerns here:
- If the re-seller of these devices has re-packed them, they could note down these login IDs and use them later to access the accounts of their customers. This is made even easier by the fact that the passwords are set by default at the start as mentioned above and most users seldom bother changing them.
- As mentioned by Martin from Avast, “the numbers of all other trackers are predictable and you can easily enumerate them. In combination with a fixed password, that means we could log into about 25% of devices in this sequence of IMEI numbers.”
- One needs to contact the reseller from whom the tracker was purchased to register a username if they wish to login by not using an ID and hence again a lot of buyers would not want to make this effort – humans being the biggest vulnerability here.
However, what’s more alarming is that not only this one device has such an insecure infrastructure in place. 29 other models are available online for sale manufactured by the same company, mostly under the same brand name and other different white-labeled ones. Additionally, 50 more applications were discovered for mobile devices that were using the same unencrypted platform and hence may also be vulnerable.
In conclusion, Avast has reported that they notified the vendor on 24 June 2019 but didn’t receive a response. Nonetheless, we checked the web portal of the GPS device and it now appears to be using an SSL connection. It seems that they did make an easy patch there but to truly make their devices secure, they must act on changing how login protocols work and other internal workings as discovered by researchers.
Furthermore, it is important to change our buying habits keeping this in mind. Although such devices may be available at a cheaper price, the vulnerabilities inherently present in them offset any such advantage and so it better to buy devices whose security you could be assured of.