Over 600,000 Chinese GPS Trackers Use Default Password “123456”
Researchers from Avast have discovered that more than 600,000 GPS trackers, commonly used to monitor elderly people and children, come with the default password “123456.” These devices are popular in the United States, Europe, and other regions.
According to the experts, cybercriminals can exploit this default password to hack user accounts. Once inside, they could eavesdrop on conversations near the GPS tracker, spoof its real location, or obtain the phone number of the SIM card inside the device to track it via GSM channels.
Vulnerable Devices and Infrastructure
The issue was found in over 30 models of GPS trackers manufactured by the Chinese IoT device maker Shenzhen i365-Tech. All these models share the same server infrastructure, which includes a cloud server, a web panel for checking the tracker’s location via browser, and a mobile app that also connects to the cloud server.
User identifiers are based on the GPS tracker’s International Mobile Equipment Identity (IMEI) number and are sequential, while the password for all devices is the sameβ”123456.” This allows attackers to launch automated attacks on the Shenzhen i365-Tech cloud server, scan through all user IDs one by one, use the same password, and hijack user accounts.
Scale of the Problem
Although users can change the default password after their first login, Avast’s scan of about 4 million user IDs revealed that over 600,000 accounts were still using “123456” as their password.
Manufacturer Response and Recommendations
Shenzhen i365-Tech did not respond to researchers’ emails about the discovered vulnerability. Users are strongly advised to change the default password on their accounts as soon as possible to protect their privacy and security.