Parents hoping to protect their children by employing GPS trackers may want to think again.
New research from Avast, the Czech security firm, revealed some serious security issues with hundreds of thousands of these devices designed to track children.
About 600,000 child GPS trackers have security flaws
In a blog post, Avast said researchers discovered that about 600,000 child GPS trackers being hawked on Amazon and other Internet retailers are exposing data that is being sent to the cloud. That means the exact real-time GPS coordinates of children can fall into the wrong hands.
Avast said 29 models sold by Shenzhen i365, a Chinese manufacturer and resold under different brand names have the vulnerabilities. Avast Threat Lab found the mobile app that accompanies the device is downloadable from a website that is not secure, exposing the information of users. The user accounts all come with a default password of 123456, very easy for hackers to figure out. The devices are also designed in a way that can enable third parties to fake the user's location or access the microphone.
Manufacture doesn't respond
"We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Martin Hron, senior researcher at Avast who led this research. Hron said consumers should purchase a GPS tracking device from a brand they trust that has taken the time to build security into the product design. Avast said they informed the manufacture about the flaws on 24 June.
What's more, he said consumers that purchase off-the-shelf smart devices should change the default admin passwords to something that is way more complicated than 12345. Not that in this case it would prevent a hacker from intercepting the unencrypted traffic being sent to the server.
Other GPS trackers have similar flaws
Avast isn't along in finding security flaws with devices including GPS trackers. In May Fidus, the UK security firm found GPS trackers used by elderly patients could be manipulated to send location data in real-time. That device was also manufactured in China and is white labeled to a slew of resellers. Fidus said it appears the manufacturer and resellers didn't do any security or penetration testing of the GPS tracker.