- 23 Sep, 2019
- Close-Guard
- 0 Comments
- Share on Facebook
- Share on Twitter
More Than 600,000 GPS trackers left exposed online with a default password of '123456'
Still believe Close-Guard Technology is too obsessive about security and data privacy in its designs?
No security measure is ever too much... especially when it comes to real-time location. If this is not enough reason, then you must read this latest research finding by Avast.
At least 600,000 GPS trackers manufactured by a Chinese company are using the same default password of "123456," security researchers from Czech cyber-security firm Avast disclosed today.
They say that hackers can abuse this password to hijack users' accounts, from where they can spy on conversations near the GPS tracker, spoof the tracker's real location, or get the tracker's attached SIM card phone number for tracking via GSM channels.
Avast researchers said they found these issues in T8 Mini, a GPS tracker manufactured by Shenzhen i365-Tech, a Chinese IoT device maker.
However, as their research advanced, Avast said the issues also impacted over 30 other models of GPS trackers, all manufactured by the same vendor, and some even sold as white-label products, bearing the logos of other companies.
All models shared the same backend infrastructure, which consisted of a cloud server to which GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker's location, and a similar mobile app, which also connected to the same cloud server.
But all this infrastructure was full of holes. While Avast detailed several issues in its report, the biggest was the fact that all user accounts (either from the mobile app or web panel) relied on a user ID and a password that were easy to guess.
The user IDs were based on the GPS tracker's IMEI (International Mobile Equipment Identity) code and was sequantial, while the password was the same for all devices -- 123456.
This means that a hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts.
While users can change the default after they log into their account for the first time, Avast said that during a scan of over four million user IDs, it found that more than 600,000 accounts were still using the default password.
Pervasive tracking and other attacks
Many customers buy the devices to track pets, elderly family members, kids, cars, or other valuable items. An attacker who gains access to one of these customer accounts can track victims, but they can also spoof the tracker's location to kidnap or steal a valuable product without the owner noticing until it's too late.
In addition, these devices come with microphones and SIM cards so children or elderly members can place SOS calls to authorities or family members.
Avast says account hackers can abuse this feature to place a phone call to their own number, answer the call, and then quietly spy on the GPS tracker owner.
How come Close-Guard GPS devices are not affected?
We saw this type of attacks coming, even before we started production. That is why all our GPS tracker are designed to be only accessible via the users email or phone and unique password; different from the actual device PI.
Even with the device IMEI and PIN, one can never gain access to the GPS device as our systems are designed never to allow such access