600, 000 GPS trackers for people and pets are using 123456 as a password

[InfoSec News <alerts () infosecnews org>]

https://arstechnica.com/information-technology/2019/09/600000-gps-trackers-for-people-and-pets-are-using-123456-as-a-password/

By Dan Goodin
Ars Technica
9/5/2019

An estimated 600,000 GPS trackers for monitoring the location of kids, seniors,
and pets contain vulnerabilities that open users up to a host of creepy attacks,
researchers from security firm Avast have found. The $25 to $50 devices are
small enough to wear on a necklace or stash in a pocket or car dash compartment.
Many also include cameras and microphones.

They’re marketed on Amazon and other online stores as inexpensive ways to help
keep kids, seniors, and pets safe. Ignoring the ethics of attaching a spying
device to the people we love, there’s another reason for skepticism.
Vulnerabilities in the T8 Mini GPS Tracker Locator and almost 30 similar model
brands from the same manufacturer, Shenzhen i365 Tech, make users vulnerable to
eavesdropping, spying, and spoofing attacks that falsify users’ true location.

Researchers at Avast Threat Labs found that ID numbers assigned to each device
were based on its International Mobile Equipment Identity, or IMEI. Even worse,
during manufacturing, devices were assigned precisely the same default password
of 123456. The design allowed the researchers to find more than 600,000 devices
actively being used in the wild with that password. As if that wasn’t bad
enough, the devices transmitted all data in plaintext using commands that were
easy to reverse engineer.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_