Security flaws have been discovered in 600,000 GPS tracking devices intended to keep society's most vulnerable members safe.
Researchers at Avast Threat Labs found a number of vulnerabilities in 29 different device models commonly used to track the whereabouts of children, seniors, and pets.
Affected trackers expose data sent to the cloud, enabling hackers to lock on to the real-time GPS coordinates of the device's wearer. Design flaws in the trackers also made it possible for third parties to hack into devices and falsify data to give an inaccurate location reading.
In what seems like an obvious drop of the ball, data being sent from the devices to the cloud was unencrypted, unauthenticated, and written in plaintext, making it an easy target for hackers.
Furthermore, devices with built-in cameras and microphones were found to contain a flaw that made it possible for them to be used by hackers wishing to spy or eavesdrop on the wearer.
The faulty devices, which are widely available for $25–$50 from online merchants, are made by Chinese manufacturer Shenzhen i365 Tech and resold under various brand names.
Analysis by Avast's Threat Intelligence Team found that users of the T8 Mini GPS Tracker Locator were directed to an unsecure website to download the device's companion mobile app. Users who downloaded the app had their information exposed.
User account information was also made vulnerable by the mass assignment to users of the default password "123456," commonly recognized as the password equivalent of throwing hackers a welcome party with free booze.
Avast made their findings known to Shenzhen i365 Tech and were met with radio silence.
Martin Hron, senior researcher at Avast, said: "We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices.”
Avast advised people to steer clear of suspiciously cheap and knock-off smart devices, and noted that the use by children of even those tracking devices deemed safe from an information security perspective may affect their ability to learn how to be independent and may also give adults a false sense of safety.