Avast estimates 600,000 IoT products are currently vulnerable
Wearable devices made for monitoring children and the elderly are rife with security flaws, according to cybersecurity firm Avast.
In a report published today, the security software vendor details the critical vulnerabilities it found in almost 30 models of supposedly popular GPS trackers made by Chinese firm Shenzhen i365 Tech.
The vendor produces fashionable GPS devices marketed as a means of keeping track of kids, the elderly, and pets.
The products come bundled with the T8 Mini GPS tracker – a component that is allowing unauthorized third parties to eavesdrop on communications and more, Avast warns.
Avast found that these devices were leaving data exposed, including real time GPS coordinates, via the tracker’s web application (non-HTTPS link).
The application’s website notably serves content through the HTTP protocol, meaning user account information is transmitted over the internet unencrypted.
Users taking advantage of the T8 Mini GPS tracker and its associated application would therefore be exposing their phone IDs and passwords.
An individual’s device could easily be identified with this information due to the application’s use of the International Mobile Equipment Identity (IMEI) identifier for login.
Malicious actors could then compromise the device, according to Avast.
The cybersecurity firm also found that the design flaws within the product gave devices functionality beyond GPS tracking, including the ability to call a phone number in order to gain access to the microphone.
An attacker would additionally have the capability to send an SMS message in order to serve up a malicious URL as part of a remote hack attempt.
Avast told The Daily Swig that it had notified Shenzhen i365 Tech about the vulnerabilities on June 24. Repeated attempts at contacting the T8 Mini GPS manufacturer to discuss these various (as-yet unresolved) issues proved unsuccessful, Avast said.
“We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Martin Hron, senior researcher at Avast said in a statement.
Researchers estimate that there are around 600,000 T8 Mini GPS products out in circulation and currently vulnerable, with 500,000 downloads of the device’s corresponding apps.
Avast has identified 29 other GPS tracking products that contain the same vulnerabilities, many of which are manufactured by the same company.
Consumers are reminded to shop securely and always change the default admin passwords for products to something more complex.
“As parents, we are inclined to embrace technology that promises to help keep our kids safe, but we must be savvy about the products we purchase,” said Leena Elias, head of product delivery at Avast.
“Beware of any manufacturers that do not meet minimum security standards or lack third-party certifications or endorsements. Shop only with brands you trust to keep your data safe – the extra cost is worth the peace of mind.”
The Daily Swig has reached out to Shezhen i365 for comment. The T8 Mini GPS tracker appears to be no longer available on the company’s website.