Many parents are using GPS trackers to monitor the location of their children, but a recent study conducted by researchers at Avast Threat Labs has shown that far from improving safety, parents could be putting their children at risk.
GPS trackers allow parents to see where their children are at all times, but they also allow others to locate their children due to the number of bugs in the devices and associated apps.
The study was conducted on GPS location trackers manufactured by the company Shenzhen i365 Tech, in particular, the T8 Mini GPS tracker. The company’s GPS trackers are used by around 600,000 people worldwide and are also sold under other brand names on e-commerce websites. Vulnerabilities were identified in mobile apps that connect to the trackers, communications between the trackers/apps and online portals, and many accounts had poor security and used default, easy to guess passwords.
For instance, Avast researchers found many trackers used the mobile device serial number as the username and a password of 123456. Even if the password is changed, location data can easily be intercepted as it is sent to the online portal in plaintext. One mobile tracking app was being delivered via an insecure website, and design flaws were identified that allow malicious third parties to spoof the user’s location and misreport where that individual is located.
The study focused on one specific tracker, but the researchers point out that there are currently more than 50 apps on official Google Play and iOS Apple Store that run on the same vulnerable platform. Other tracking devices and apps may also have similar vulnerabilities. Previous research has shown other tracking devices contain vulnerabilities that could be exploited to reveal the location of users – LeapPad tablets by LeapFrog, for example.
Avast researchers disclosed the vulnerabilities to the Shenzhen i365 Tech to allow changes to be made to improve security, but a response was not received in the standard time frame. Consequently, the researchers issued a Public Service Announcement to warn users of the devices of the risks of continued use of the devices.
“[We] strongly advise you to discontinue use of these devices”, said Martin Hron, Avast’s lead researcher of the study.
It is important is to perform due diligence to make sure the trackers and associated apps are secure and have had appropriate security controls incorporated into the design.