Researchers have found that GPS child trackers manufactured by Shenzhen i365 can expose user information. With over 600,000 of the GPS trackers sold, the research shows that the default device password is preset as “123456.” It was also determined that the data that the device sends is being transmitted unencrypted through the global system for mobile communication (GSM) network to its cloud servers. Shenzhen i365, a company from China, manufactures 29 different models of GPS trackers such as GPS watches, mini pet trackers, vehicle trackers, child trackers and software solutions. They all appear to have the same flaw. With the simple default password of “123456,” an attacker could easily hijack the user’s account, spoof locations, or enable the microphone to spy on conversations. Also, with the data being sent unencrypted from the GSM network to the cloud server, an attacker could intercept the information easily. Researchers have noted that about 50 GPS tracking mobile apps on both Google Play Store and the iOS App store share the same unencrypted platform.
Analyst Notes
The researchers did their due diligence by responsibly reporting the flaw to
Shenzhen i365, but have not received a response. Until a patch is released, it is recommended to discontinue using these products.
