600,000 GPS Trackers are Using the Default “123456” Password
At least
600,000 GPS trackers manufactured by a company in China are using the default
“123456” password, according to researchers at cyber-security firm Avast.
The
researchers say that the default password makes it easy for hackers to hijack
user accounts. Once hijacked, they can spy on conversations, get the tracker’s
SIM card phone number, or even spoof the tracker’s real location.
According to
Avast’s researchers, more than 30 GPS tracker models are impacted, all of which
are manufactured by the same company. Other trackers, like Meitrack (gpswox.com/en/supported-gps-trackers/meitrack), were not included in the research.
All of the
models have the same backend infrastructure, which consists of a cloud server
that the GPS trackers reported to, a web panel which customers could log into,
and a mobile app that connected to the same cloud server.
Avast’s
researchers found many issues with this infrastructure, primarily the fact that
all user accounts had user IDs and passwords that were easy to guess. This
makes it easy for hackers to launch attacks against the cloud server and hijack
user accounts.
After
scanning more 4 million user IDs, researchers found that more than 600,000
accounts were still using the default password. Users can change their accounts
after logging in for the first time, but many are leaving the default password
place.
Consumers
typically buy GPS trackers to monitor important things, like pets, family
members and valuable items. Triangulation allows these trackers to keep tabs on
the item’s location in real-time.
According to www.trackingfox.com, “The target object is tracked by
three (or more) satellites which are closest to it. The GPS calculates the
relative distances by tracing the route of radio waves traveling to and from
the satellites. The coordinates of the target object’s exact location are then
obtained.”
Attackers
who gain access to one of these accounts can track victims, but they can also
spoof the real location of the tracker in order to steal or kidnap without the
owner noticing until the damage is done. Many of these trackers also have microphones
and SIM cards so that kids or elderly individuals can call for help if needed.
According to Avast’s researchers, hackers can also abuse this feature by
placing a call from the device to their own number, answering the call, and
then spying on the owner of the GPS tracker.
The default
password problem can also cause issues for the manufacturer. In this case, the
company creates accounts as soon as the trackers are produced. A competitor
could easily hijack accounts before the devices are even sold and change their
passwords, creating a customer service nightmare for the company.