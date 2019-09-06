Avast has discovered serious security vulnerabilities in the T8 Mini GPS tracker and nearly 30 other models by the same manufacturer, Shenzhen i365 Tech. Marketed to keep kids, seniors, pets, and even possessions safe, instead these devices expose all data sent to the cloud, including exact real-time GPS coordinates.

Further, design flaws can enable unwanted third-parties to spoof the location or access the microphone for eavesdropping. Researchers at Avast Threat Labs estimate that there are 600,000 unprotected trackers in use globally, but emphasize that these IoT security issues go far beyond the scope of a single vendor.

Martin Hron, a senior researcher at Avast who led this research, advises buyers of these products to opt for an alternative from brands that have built security into the product design, specifically secure login and strong data encryption.

As with any off-the-shelf device, we recommend changing the default admin passwords to something more complex; however, in this case, even that will not stop a motivated individual from intercepting the unencrypted traffic. “We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Hron said.

Avast Threat Labs first analyzed the T8 Mini onboarding process, following the instructions to download the companion mobile app from http://en.i365gps.com — notably, a website served over HTTP protocol as opposed to the more secure HTTPS. Users can then login to their account with their assigned ID number and very generic default password of “123456”. This information was transmitted over insecure HTTP protocol, too.

The ID number is derived from the International Mobile Equipment Identity (IMEI) of the device, so it was easy for researchers to predict and enumerate possible ID numbers of other trackers by this manufacturer. Combined with the fixed password, practically any device following this sequence of IMEI numbers would be able to be broken into with little effort.