600,000 GPS Trackers Left Exposed Online With a Default Password of '123456'

According to Avast security researchers, over 600,000 GPS trackers manufactured by a Chinese company are using the same default password of "123456. "They say that hackers can abuse this password to hijack users' accounts, from where they can spy on conversations near the GPS tracker, spoof the tracker's real location, or get the tracker's attached SIM card phone number for tracking via GSM channels," reports BleepingComputer. From the report: Avast researchers said they found these issues in T8 Mini, a GPS tracker manufactured by Shenzhen i365-Tech, a Chinese IoT device maker. However, as their research advanced, Avast said the issues also impacted over 30 other models of GPS trackers, all manufactured by the same vendor, and some even sold as white-label products, bearing the logos of other companies. All models shared the same backend infrastructure, which consisted of a cloud server to which GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker's location, and a similar mobile app, which also connected to the same cloud server. But all this infrastructure was full of holes.

While Avast detailed several issues in its report, the biggest was the fact that all user accounts (either from the mobile app or web panel) relied on a user ID and a password that were easy to guess. The user IDs were based on the GPS tracker's IMEI (International Mobile Equipment Identity) code and was sequential, while the password was the same for all devices -- 123456. This means that a hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts. While users can change the default after they log into their account for the first time, Avast said that during a scan of over four million user IDs, it found that more than 600,000 accounts were still using the default password.

Cue the references to the same password on luggage

[mark-t]

In 5...4...3...2...

Re:

[dryriver]

Actually, its 1 - 2 - 3 - 4 - 5 - 6, NOT 5...4...3...2... as you wrote. (No, that wasn't a serious reply)

Re:

[mark-t]

Obviously... my point was to imitate a countdown until such comments started.

And true to every expectation, the first post on this story after my own [slashdot.org] did not disappoint, not 30 seconds after I had clicked submit in my previous comment.

That pesky 6 !

[Laxator2]

It would have been the same as the combination on the luggage if only it stopped at 5. But the 6 at the end messed it all up.
At least I know that he's afraid of 7, so that makes me feel better already.

That's amazing!

[Ecuador]

That's amazing! I have the same combination on my luggage!

Re:That's amazing!

[dryriver]

Its not YOUR luggage anymore, har har. I got your combination from a Chinese GPS cloud server.

Re:

[CaptnCrud]

I just looked up dick van patten to see if he was still alive....ffff....

Re:

[Tablizer]

That's amazing! I have the same combination on my luggage!

Reference [youtube.com]

Re:

[K. S. Kyosuke]

600000 people do, if they're tracking their luggage.

600,000 GPS Users EXPOSED Themselves Online?

[dryriver]

And I can see them all without clothes with the Password 123456? And I see where they are in GPS coordinates over the Chinese GPS cloud server? Wonderful! (On a more serious note, I fail over and over to understand how people capable of MANUFACTURING electronics are too dumb to secure them. Sneaky Chinese government policy maybe? Who knows...)

Re:

[malvcr]

The problem is that some person has a good idea, but other one realizes that it is possible to build something similar with the less possible effort and making money. Then, they flood the market with a device offering the sky on characteristics but made with no quality neither security measures applied. Their only purpose is to make money, they even sell it without a brand attached if the customer likes it that way.

And we have the complete lack of compliance (if that thing even offer any type of prote

Making lemonade

[SuperKendall]

Baller move here would be to turn these devices into an instant social media network.

Re:

[14erCleaner]

They're probably being hijacked en masse to do spam calls already.

Re:

[Admiral Krunch]

How many of those 600k were still on the shelves waiting to be sold.
Did they check if the corresponding location was all in the same warehouse?

Re: Only 600,000 is actually pretty impressive

[Zero__Kelvin]

They aren't powered on in a box in the warehouse numbnuts.

Re:

[Opportunist]

You sure about that? Power consumption on such gadgets is SO low these days that the ability of a battery to power them probably already outmatches the expected shelf life of the battery, and since installing a power switch along with making the battery user serviceable could cost a cent or two...

Re:

[Zero__Kelvin]

I am sure about it, and you are an idiot if you think that there are any G3 Wireless systems that run on batteries for even several days, never mind months and years. They get wired into the vehicle electronics, and yes I have installed them before.

Re: You seem quite sure/full of yourself

[Zero__Kelvin]

None of those things are the devices we are talking about, and almost none of them are connected to 3G. I am quite sure you are a moron.

Re:

[Zero__Kelvin]

I admit that I didn't look closely at what was in the picture and assumed they were "Smart Watches" and fitbits, etc. Given that those are devices described in the article they all connect via GSM as depicted in all those diagrams before that you clearly don't understand. So again, none of these devices were powered on and connected to the internet via a GSM connection. DOH! You really are a retard. "Look, look, I both proved Zero__Kelvin was wrong about something insignificant, and showed I was a moron at

Re:

[Zero__Kelvin]

So I should be embarrassed that my original post was correct and that only a moron would think they are powered on and operating in a box in the warehouse? I guess if being right is embarrassing to you it explains why you are never embarrassed. Thanks for proving what a moron you are.

Re:

[Zero__Kelvin]

They need to be powered on for the server to give any information other than that the device is offline and we have no idea where it is dipshit. And I was right because I knew exactly what kind of devices they were, to wit, GSM connected devices. People who actually understand technology don't need to look at the pertty picture to see what color and shape it is. DOH!

Re:

[Zero__Kelvin]

That shows where it was when it went offline you idiot.

Re: You are just too funny.

[Zero__Kelvin]

Yeah dickwad. Nobody is smart enough to figure out you are quoting two or three words from each sentence that makes it look likeI wrote something completely different. Off you go little troll loser ...

Re:

[Zero__Kelvin]

The only things as I said that weren't true was that the picture wasn't of the actual devices, and I said that all the devices are wired into vehicles since I mistakenly believed they were GPS trackers for vehicles. The picture you linked to proves my point as it shows 7 hrs online with 41% battery, which proves what I originally said is true, but of course you are too fucking stupid to realize that you keep proving my point and claiming to disprove it when you do. Off you go now little troll ....

Re: You're just taking the piss now aren't you?

[Zero__Kelvin]

That is not what it says, but at least I know can see where your idiocy comes from.

Re: You're just repeating yourself.

[Zero__Kelvin]

That's what you said last time.

Re:

[Zero__Kelvin]

That's what you said the last time.

Re:

[Admiral Krunch]

Yea that was a bit silly of me. But they weren't hacking the devices anyway but the server. Maybe they could see the location was some kind of default or invalid and allowed for that in their results.

Re:

[DenverTech]

The T8 Mini Tracker has a Li-Ion battery, charged by USB cable. Checking the user manual for the T8, the SIM Card must be installed by the user. So, at least all T8 units must have had the SIM card installed by its user, to see it online.

Re:

[Admiral Krunch]

This means that a hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts.

So they weren't 'hacking' the devices, but the server. How do they even know which ID's had been used by actual people?

It seems that every device’s account is active from the time the device is manufactured, so an attacker can lock-out the user out of the account even before he buys his tracker just based on the IMEI number because you can change the password of an account which belongs to a device that has not been used yet.

Oh so they didn't need it to be active, or even sold yet to 'hack' it.
You're right though, they couldn't see it online and hopefully accounted for that in their analysis.

Re:

[malvcr]

With so many devices around, the only you need to check is where are them and to figure what it is useful to hack (hear).

For example, let's figure if there are some near Microsoft offices in Redmond. If we find some, let's track them to check if they belong to some Microsoft's employee and later, let's turn on the microphone remotely to hear what people around the GPS owner says. Some conversations will be useless, but others not so much and they even could belong to important people (not that the owner

600,000 GPS Trackers Left Exposed Online With a De

[Sooner Boomer]

Really? Where are they?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[drinkypoo]

Why the fuck does a GPS tracker have a microphone?

For the purpose of spying on thieves, or monitoring carjackings.

Re:

[Admiral Krunch]

Usually, the tracker itself is a simple, inexpensive devices that carries a SOC (system on chip) module as the main component; a serial bus connects the SOC to a GPS module that provides a location as well as to a GPRS modem that connects to a SIM card which provides DATA+SMS capabilities to the device. Very often, you can also find a microphone and a speaker for phone functionality that is used when the “SOS” button is pressed.

Sorry I didn't mean to read the article, I'm still new here.

Druia Air-Shield Password

[LemonFire]

123456 is still a stronger password than the one used for the air-shield surrounding planet Druidia.

-- This SIG has been deflated by gnarly gnomes

Re:

[Opportunist]

Not really. Considering the consecutive nature of the password, the quality is approximately the same.

OH NO! How will we ever find these to fix them?

[nagora]

Oh, right. Never mind.

Time for new password

[laie_techie]

Obviously 6 digits isn't enough anymore. Time to change it to 12345678 (cause you know hackers are going to try up to 7 next time!)