Digital security company Avast have released information that suggests certain brands of GPS trackers may be susceptible to hackers, potentially exposing children and elderly people to risk.
The device in question is the T8 Mini GPS tracker, and Avast reports that there are nearly 30 other models by the same manufacturer, Shenzhen i365 Tech, which may be vulnerable.
There are currently several hundred of these devices across Australia and New Zealand, and as many as 600,000 worldwide.
These devices apparently expose all data sent to the cloud, including exact real-time GPS coordinates, meaning hackers may be able to trace a child's exact location. Further, design flaws can enable unwanted third-parties to spoof the location or access the microphone for eavesdropping.
Martin Hron, senior researcher at Avast who led this research, advises buyers of these products to opt for an alternative from brands that have built security into the product design, specifically secure login and strong data encryption. As with any off-the-shelf device, we recommend changing the default admin passwords to something more complex; however, in this case, even that will not stop a motivated individual from intercepting the unencrypted traffic. “We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Hron said.
Using a simple command lookup tool, researchers discovered that all of the requests originating from the tracker’s web application are transmitted in unencrypted plain-text. Even more concerning, the device can issue commands beyond the intended uses of GPS tracking, such as:
- Call a phone number, enabling a third-party to eavesdrop through the tracker’s microphone
- Send an SMS message, which could allow an attacker to identify the phone number of the device and thus use inbound SMS as an attack vector
- Use SMS to reroute communication from the device to an alternate server in order to gain full control of the device or spoof information sent to the cloud
- Share a URL to the tracker, allowing a remote attacker to place new firmware on the device without even touching it, which could completely replace the functionality or implant a backdoor
Leena Elias, head of product delivery for Avast, urges the public to take caution when bringing cheap or knock-off smart devices into the home. “As parents, we are inclined to embrace technology that promises to help keep our kids safe, but we must be savvy about the products we purchase,” she said. “Beware of any manufacturers that do not meet minimum security standards or lack third-party certifications or endorsements. Shop only with brands you trust to keep your data safe — the extra cost is worth the peace of mind.”