Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Privacy China Security Technology

600,000 GPS Trackers Left Exposed Online With a Default Password of '123456' (zdnet.com) 52

According to Avast security researchers, over 600,000 GPS trackers manufactured by a Chinese company are using the same default password of "123456. "They say that hackers can abuse this password to hijack users' accounts, from where they can spy on conversations near the GPS tracker, spoof the tracker's real location, or get the tracker's attached SIM card phone number for tracking via GSM channels," reports BleepingComputer. From the report: Avast researchers said they found these issues in T8 Mini, a GPS tracker manufactured by Shenzhen i365-Tech, a Chinese IoT device maker. However, as their research advanced, Avast said the issues also impacted over 30 other models of GPS trackers, all manufactured by the same vendor, and some even sold as white-label products, bearing the logos of other companies. All models shared the same backend infrastructure, which consisted of a cloud server to which GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker's location, and a similar mobile app, which also connected to the same cloud server. But all this infrastructure was full of holes.

While Avast detailed several issues in its report, the biggest was the fact that all user accounts (either from the mobile app or web panel) relied on a user ID and a password that were easy to guess. The user IDs were based on the GPS tracker's IMEI (International Mobile Equipment Identity) code and was sequential, while the password was the same for all devices -- 123456. This means that a hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts. While users can change the default after they log into their account for the first time, Avast said that during a scan of over four million user IDs, it found that more than 600,000 accounts were still using the default password.

This discussion has been archived. No new comments can be posted.

600,000 GPS Trackers Left Exposed Online With a Default Password of '123456'

Comments Filter:
    • Actually, its 1 - 2 - 3 - 4 - 5 - 6, NOT 5...4...3...2... as you wrote. (No, that wasn't a serious reply)
    • It would have been the same as the combination on the luggage if only it stopped at 5. But the 6 at the end messed it all up.
      At least I know that he's afraid of 7, so that makes me feel better already.

  • by Ecuador ( 740021 ) on Thursday September 05, 2019 @05:06PM (#59163412) Homepage

    That's amazing! I have the same combination on my luggage!

  • And I can see them all without clothes with the Password 123456? And I see where they are in GPS coordinates over the Chinese GPS cloud server? Wonderful! (On a more serious note, I fail over and over to understand how people capable of MANUFACTURING electronics are too dumb to secure them. Sneaky Chinese government policy maybe? Who knows...)
    • by malvcr ( 2932649 )

      The problem is that some person has a good idea, but other one realizes that it is possible to build something similar with the less possible effort and making money. Then, they flood the market with a device offering the sky on characteristics but made with no quality neither security measures applied. Their only purpose is to make money, they even sell it without a brand attached if the customer likes it that way.

      And we have the complete lack of compliance (if that thing even offer any type of prote

  • by SuperKendall ( 25149 ) on Thursday September 05, 2019 @05:53PM (#59163612)

    Baller move here would be to turn these devices into an instant social media network.

  • Comment removed based on user account deletion
    • Why the fuck does a GPS tracker have a microphone?

      For the purpose of spying on thieves, or monitoring carjackings.

    • Usually, the tracker itself is a simple, inexpensive devices that carries a SOC (system on chip) module as the main component; a serial bus connects the SOC to a GPS module that provides a location as well as to a GPRS modem that connects to a SIM card which provides DATA+SMS capabilities to the device. Very often, you can also find a microphone and a speaker for phone functionality that is used when the “SOS” button is pressed.

      Sorry I didn't mean to read the article, I'm still new here.

  • 123456 is still a stronger password than the one used for the air-shield surrounding planet Druidia.

    -- This SIG has been deflated by gnarly gnomes

  • by nagora ( 177841 ) on Friday September 06, 2019 @05:55AM (#59164732)

    Oh, right. Never mind.

  • Obviously 6 digits isn't enough anymore. Time to change it to 12345678 (cause you know hackers are going to try up to 7 next time!)

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...