At least 600,000 GPS trackers manufactured by a company in China are using the default “123456” password, according to researchers at cyber-security firm Avast.
The researchers say that the default password makes it easy for hackers to hijack user accounts. Once hijacked, they can spy on conversations, get the tracker’s SIM card phone number, or even spoof the tracker’s real location.
According to Avast’s researchers, more than 30 GPS tracker models are impacted, all of which are manufactured by the same company. Other trackers, like Meitrack (gpswox.com/en/supported-gps-trackers/meitrack), were not included in the research.
All of the models have the same backend infrastructure, which consists of a cloud server that the GPS trackers reported to, a web panel which customers could log into, and a mobile app that connected to the same cloud server.
Avast’s researchers found many issues with this infrastructure, primarily the fact that all user accounts had user IDs and passwords that were easy to guess. This makes it easy for hackers to launch attacks against the cloud server and hijack user accounts.
After scanning more 4 million user IDs, researchers found that more than 600,000 accounts were still using the default password. Users can change their accounts after logging in for the first time, but many are leaving the default password place.
Consumers typically buy GPS trackers to monitor important things, like pets, family members and valuable items. Triangulation allows these trackers to keep tabs on the item’s location in real-time.
According to www.trackingfox.com, “The target object is tracked by three (or more) satellites which are closest to it. The GPS calculates the relative distances by tracing the route of radio waves traveling to and from the satellites. The coordinates of the target object’s exact location are then obtained.”
Attackers who gain access to one of these accounts can track victims, but they can also spoof the real location of the tracker in order to steal or kidnap without the owner noticing until the damage is done. Many of these trackers also have microphones and SIM cards so that kids or elderly individuals can call for help if needed. According to Avast’s researchers, hackers can also abuse this feature by placing a call from the device to their own number, answering the call, and then spying on the owner of the GPS tracker.
The default password problem can also cause issues for the manufacturer. In this case, the company creates accounts as soon as the trackers are produced. A competitor could easily hijack accounts before the devices are even sold and change their passwords, creating a customer service nightmare for the company.