Story image

Consumer GPS tracker leaks unencrypted data, warns Avast

12 Sep 2019

Hundreds of thousands of tracking devices manufactured by Shenzhen i365 Tech have serious security vulnerabilities, including hundreds across Australia and New Zealand.

The T8 Mini GPS tracker and 30 other models by the same manufacturer are designed to keep children, seniors, pets and possessions safe – ironically, the devices themselves aren’t very safe at all.

The devices don’t have any encryption, which means they leak real-time GPS coordinates. What’s more, attackers could hijack the devices to intercept microphones, phone numbers (through SMS), and take over the device’s firmware.

According to Avast researchers, there are approximately 600,000 at-risk trackers in use across the world.

There are also at least 50 mobile apps that use the same unencrypted platform.

What’s more, the manufacturer doesn’t seem to be doing anything about it. In Avast’s words, repeated notifications to the device maker revealing the flaws received no response.

“We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” says Avast senior researcher Martin Hron.

He says that buyers should purchase devices that have built-in security features, particularly secure login and data encryption.

Users should also change the default admin passwords to something stronger – but in the case of the T8 Mini trackers, that isn’t going to help.

“Using a simple command lookup tool, researchers discovered that all of the requests originating from the tracker’s web application are transmitted in unencrypted plain-text. Even more concerning, the device can issue commands beyond the intended uses of GPS tracking, such as:

  • Call a phone number, enabling a third-party to eavesdrop through the tracker’s microphone
  • Send an SMS message, which could allow an attacker to identify the phone number of the device and thus use inbound SMS as an attack vector
  • Use SMS to reroute communication from the device to an alternate server in order to gain full control of the device or spoof information sent to the cloud
  • Share a URL to the tracker, allowing a remote attacker to place new firmware on the device without even touching it, which could completely replace the functionality or implant a backdoor.”

Avast warns that people should be cautious when setting up cheap or knockoff smartphone devices into their homes – instead, shop with brands that are trusted and will keep data safe.

Story image
09 Sep
Premium headphones driving revenue boom, says Futuresource
Thanks to the trend in premium brands, worldwide headphone revenue is growing four times faster than shipment numbers. More
Story image
12 Sep
Samsung says 'hundreds of apps' will work with Galaxy Fold
‘Hundreds’ of apps on the Google Play and Galaxy Stores have been updated to work with the foldable phone, thanks to a collaboration with Google to improve integrated Android OS support.More
Story image
03 Sep
Hands-on review: Supercharging the RTX with the ROG STRIX RTX2080 SUPER
You can expect stable 60FPS+ gameplay over 4K UHD resolution over most AAA titles, or even with DLSS turned on when working with WQHD resolution. More
Story image
04 Sep
UNISOC releases Octa-Core SoC with improved image processing and AI
The Tiger T618 SoC boasts the latest and greatest in smartphone photography tech to boost the mobile shooting experience.More
Story image
26 Aug
Hands-on review: The AirPods 2 with wireless charging
While they're still not great for noise blocking, they are stylish earbuds that allow you to answer phone calls quickly and hands free, listen to music on your phone and communicate with Siri, all while fitting in a compact wireless charging case that's great for travelling.  More
Story image
02 Sep
Hands-on review: The Harman Kardon Onyx Studio 5
When I connected from my laptop, I was literally blown away. There is no doubt plenty of volume to please those with no regard for their tympanic membranes, but I’d like to keep what’s left of my hearing for a while longer. More