Avast researchers have discovered serious security vulnerabilities in some 600,000 child trackers for sale on Amazon.com and other large online merchants. The devices expose data sent to the cloud, including the exact real-time GPS coordinates of children.
Twenty-nine models of trackers – made by the Chinese manufacturer, Shenzhen i365 Tech and resold through various brands – showed the vulnerabilities. Avast Threat Labs first analyzed the T8 Mini child tracker and found the companion mobile app is downloaded from an unsecured website, exposing the users’ information. Further security issues involved user account information, which comes with an assigned ID number and default password of 123456. Design flaws in the trackers can also enable third-parties to “spoof” (or fake) the user’s location, or access the microphone for eavesdropping.
Martin Hron, senior researcher at Avast who led this research, advises consumers to opt for an alternative product from a more trustworthy brand that has built security into the product design. As with any off-the-shelf “smart” device, Avast recommends changing the default admin passwords to something more complex. However, in this case, even that would not stop a motivated hacker from intercepting the unencrypted traffic.
"We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Hron said. Researchers believe these IoT security issues go far beyond the scope of a single vendor. Fifty mobile applications on both Google Play and iOS App Store share the same unencrypted platform discussed above, they said.