Popular GPS trackers found to have major security flaws

(Image credit: Shutterstock.com)

Thousands of devices meant to help keep children safe could actually be putting them at risk, new security research has found.

A report from Avast has claimed that around 600,000 GPS tracking devices are exposing all the data they send to the cloud, including exact real-time GPS co-ordinates.

The flaw affects over 30 devices from Chinese manufacturer Shenzhen i365 Tech, including the popular T8 Mini GPS tracker, which are marketed as helping keep track of children, pets and elderly people.

Tracked down

Avast's researchers found that all of the requests originating from the tracker’s web application were being transmitted in unencrypted plain-text, with the website of i365 Tech served over HTTP protocol as opposed to the more secure HTTPS.

But in more troubling findings, Avast discovered that the device was able to issue commands beyond the intended uses of GPS tracking products, including the ability to call a phone number, which could enable a third-party to eavesdrop through the tracker’s microphone.

The device was also able to send SMS messages, which could allow an attacker to identify the phone number of the device and thus use inbound SMS as an attack vector, as well as using an SMS to allow a hacker to reroute communication from the device to an alternate server in order to gain full control of the device or spoof information sent to the cloud.

Lastly, the device could also share a URL to the tracker, allowing a remote attacker to place new firmware on the device without even touching it, which could completely replace the functionality or implant a backdoor

Avast says that its research should make the public to take caution when bringing cheap or knock-off smart devices into the home. 

“As parents, we are inclined to embrace technology that promises to help keep our kids safe, but we must be savvy about the products we purchase,” Leena Elias, head of product delivery for Avast, said. 

“Beware of any manufacturers that do not meet minimum security standards or lack third-party certifications or endorsements. Shop only with brands you trust to keep your data safe — the extra cost is worth the peace of mind.”

  • Keep your online habits private with the best VPN services of 2019
Mike Moore
Deputy Editor, TechRadar Pro

Mike Moore is Deputy Editor at TechRadar Pro. He has worked as a B2B and B2C tech journalist for nearly a decade, including at one of the UK's leading national newspapers and fellow Future title ITProPortal, and when he's not keeping track of all the latest enterprise and workplace trends, can most likely be found watching, following or taking part in some kind of sport.