Shenzhen i365 Tech Sells 600,000 GPS Trackers with '123456' Set as the Default Password

In August 2018, the State of California passed a bill which is supposed to make Internet of Things (IoT) devices more secure. It has already caused more than a little controversy, with some arguing that lawmakers don't have the required expertise to govern the security of electronic devices, and others saying that while the bill introduces some good ideas, it should be more specific when it comes to the rules and regulations it sets.

It's difficult to say whether the bill is good enough, and it's even harder to predict how it will be enforced once it goes into effect at the beginning of next year. There's little doubt in anyone's mind, however, that the state of IoT security is woeful, and everyone is hoping that the law will help at least a little bit. Last week, researchers from Avast provided yet more proof of how desperately we need it to work.

Default usernames and passwords put the security of GPS trackers at risk

The experts were interested in the security of a few GPS trackers that cost between $25 and $50 and can be easily bought from major online retailers like Amazon and eBay. Most of the trackers they examined appear to be manufactured by a company called Shenzhen i365 Tech, and they're supposed to give you the chance of knowing where your children, elderly parents and grandparents, and pets are at any given time.

You can get the exact coordinates of the device by logging in at a browser-based portal or an Android application, and since the trackers come with a SIM card slot, a microphone, and a speaker, you can also call the device or control it via SMS commands. The higher-end models are even equipped with a camera.

It sounds like a fairly straightforward and relatively cheap way of making sure that the people you care about are safe. Take a look at the product page of T8S Mini, one of the trackers Avast examined, however, and you'll see that from a security perspective, things start to fall apart rather quickly.

There are handy images and instructions in less-than-perfect English telling users what they need to do once they buy their tracker. At one point, you are given explanations on how to log into the application for the first time. You need to use the device's ID number (visible once you open the case) and the default password – "123456".

The problem should be pretty obvious, but just in case, let's recap. The location of the GPS tracker (and the person wearing it) is protected by a username that is easy to obtain and the world's worst password. When CNET's reporters wrote about issue, they requested a comment from Shenzhen i365 Tech, and a spokesperson said that after their initial login, users can easily change the default password to something more secure. They are not forced to do it, however, which means that most of them just don't bother.

On its own, the password can't unlock the account, but Avast's researchers found out that getting to the product ID, the other required piece of information, is also terrifyingly easy. The IDs in question are incremental. In other words, if the ID of your GPS tracker is "1000000001", the ID of the tracker manufactured immediately after yours is "1000000002". If an attacker knows this, they can log into the accounts of GPS tracker owners who haven't changed the default password.

To find out just how big the chances of a successful break-in are, Avast's experts scanned 4 million incremental IDs and found out that at least 600 thousand Shenzhen i365 trackers were "live in the wild with default passwords." There was even more to it than that, though.

The default login credentials aren't the only problem

The fact that the trackers are protected by login credentials that are extremely easy to guess is the obvious issue, but the researchers pointed out that it's far from the only one. Both the browser-based portal and the mobile application were set up to work with HTTP rather than HTTPS, which means that all the information (including usernames, passwords, and location data) is exchanged in plaintext. Among this information could be the phone number of the SIM card that's inserted into the tracker.

Knowing it gives the attacker the option of calling the tracker and eavesdropping on the wearer. They also get the chance to send SMS commands to the device which, in and of itself, opens up a world of opportunities. Using a single text message, for example, they can change the IP of the server the tracker communicates with and redirect all the information their way, effectively creating a Man-in-the-Middle scenario and spying on whoever is wearing the keyring-like device for long periods of time.

Avast's experts found a number of other security issues with GPS trackers offered online on the cheap, and apparently, Shenzhen i365 isn't the only manufacturer that is involved. More details should be available soon, and until then, you might want to hold off on buying a GPS tracker. If you do have one already, at least make sure that the default password is changed to something unique, secure, and hard-to-guess.