Security company warns that more than 600,000 GPS tracker information is released online with password `` 123456 ''
by
`` GPS tracker '' that can identify the position from a smartphone etc. using GPS is a device used to grasp the position of children, pets, cars, etc., and at a cheap one at a mail order site such as Amazon at a price of about 2000 yen Avast Software, which develops free anti-virus software ' Avast Software ' that can be purchased, announced that about 600,000 GPS trackers on the market are vulnerable to eavesdropping, spy and spoofing attacks .
The secret life of GPS trackers (1/2)-Avast Threat Labs
https://decoded.avast.io/martinhron/the-secret-life-of-gps-trackers/
600,000 GPS trackers left exposed online with a default password of '123456' | ZDNet
https://www.zdnet.com/article/600000-gps-trackers-left-exposed-online-with-a-default-password-of-123456/
The GPS tracker can send the location information acquired by the GPS module via the communication module and capture the owner's location. The GPS tracker itself is simple and inexpensive, but there are some that can use the functions of the phone by pressing the SOS button and others that can play sound from the built-in speaker. The location information sent from the GPS tracker is uploaded to the cloud and can be viewed from web apps and smartphone apps.
Avast
The following screen is where Avast Threat Labs actually browses the location information by logging into the web app. The location of the GPS tracker, manufacturing identification number (IMEI), online status, remaining battery level, location information acquisition date, and stop time are displayed on Google Maps. The location information of T8 Mini can be viewed from the web app and smartphone app.
However, Avast Threat Labs points out that the web application version of the login form is provided by the HTTP protocol rather than the HTTPS protocol, which is encrypted communication, and is 'wrongly wrong at this point.'
The instructions stated that the default login ID was set to tracker manufacturing identification number (IMEI), and the default password was set to “123456”. Surprisingly, a sentence saying 'To register a user name for a user ID, you need to contact the retailer you purchased' was written at the end of the manual. Avast Threat Labs commented, “It is clear that IMEI and 123456 are set for ID and password because retailers have access.”
In other words, user account information is transmitted over the Internet without encryption, and if the default password is not changed, a malicious attacker can easily take over the tracker. Avast Threat Labs pointed out. This vulnerability allows attackers not only to easily find tracker location information, but also to remotely activate the two-way communication function using the SOS function to eavesdrop on the attacker's device. Become.
Avast Threat Labs also analyzes the tracker's IMEI. According to it, the IMEI displayed in the web application version is an 11-digit number, and it does not comply with the IMEI standard that “15-digit length is required”. Avast Threat Labs further investigated and found that the IMEI displayed was not a real IMEI, but only an ID based on IMEI. As shown in the image below, the real IMEI was described inside the tracker itself.
Avast Threat Labs scanned 1 million IDs with the first four digits of “1703” and found that 600,000 devices were running with the default password “123456”. And at least 167,000 units announced that their location information could be searched online. Since the same system and API are used, this problem was confirmed not only with T8 Mini but with about 30 types of GPS trackers.
Avast Threat Labs has reported to GPS tracker vendors in June 2019 about a series of issues, but as of September 5, 2019, no vendors responded.
Related Posts: