Researchers have found austere aegis vulnerabilities in over 600,000 GPS trackers accessible for sale on Amazon and other online retail merchants that may have apparent user data, including the exact real-time GPS coordinates.

Czech cybersecurity firm Avast, which appear the vulnerabilities, said it abreast the architect about the flaws on June 24, 2019, but added they never got a acknowledgment to their again messages.

The trackers — 31 models in all that are made by Chinese IoT architect Shenzhen i365 Tech — accustomed users to keep tabs on their childrens’ abode through a accompaniment app and a web portal, while the trackers uploaded the area advice to a cloud server that announced with the apps.

But advisers noted this setup was abounding with flaws. Not only was the advice on the web portal and the Android app sent to the server unencrypted (i.e. HTTP as against to HTTPS), the usernames were based on the trackers’ IMEI (International Mobile Equipment Identity) number, with the absence countersign being “123456.”

Avast warned that hackers can use this advice to ambush data and issue crooked commands, using the tracker to call and bulletin approximate phone numbers, thereby absolution them spy on conversations around the tracker after the user’s knowledge.

In addition, this can also allow a awful user to take over victims’ accounts by going through the trackers’ IMEI codes in arrangement and the same countersign “123456,” finer locking them out. The antagonist can even get the real-time GPS coordinates by just sending an SMS to the phone number associated with the SIM card that’s amid into the tracker.


Conveniently for the threat actor, the annual settings make it accessible for the antagonist to force “the tracker [to] send an SMS to a phone number of a phone in his control which allows him to tie the ID of a tracker with its phone number.”

Scanning a random sample of four actor consecutive IMEI numbers, the advisers zeroed on at least 600,000 accessories still in use with absence passwords, out of which over 167,000 were locatable.

Although the trackers were bogus in China, Avast found the trackers to be widely used in Europe, South Africa, Australia, Brazil, the Middle East, and the US.

This is not the first time a flaw of this nature has been revealed. Back in May, UK cybersecurity firm Fidus Advice Aegis appear a vulnerability in a accepted GPS tracker used by aged patients that can be tricked into sending its real-time area simply by sending it a text bulletin with a specific command.

As a consequence, the UK is because laws that would authorization internet-connected accessories to be sold with a unique password, and not a default.

Read next: China is afterward Facebook's playbook to issue a centralized agenda bill