Special tracking devices promise parents safety by always knowing where their child is. But security researchers are now urgently warning against some GPS trackers: the stations could in their estimation for the offspring even dangerous.
According to a report by the software company Avast about 600,000 devices worldwide are affected by a vulnerability that allows strangers to access the tracking devices. For example, criminals could read about school trips in real time, with some models even allowing the microphone to be activated for eavesdropping.
The vulnerability is attributed to 30 models of the Chinese company Shenzhen i365 Tech, which according to the researchers, especially in Europe widespread. In Germany they are offered on Amazon and Ebay.
In order to access the data, the attackers do not need direct access to the GPS trackers. Instead, it is sufficient, according to researchers, to tap into the data exchange between the web portal and the server on which the GPS data is stored.
According to Avast security expert Martin Hron, the location data is exchanged in clear text in plain text and can therefore be read without much effort. "This is wrong on so many levels," writes Hron in a blog post. The default password with the numbers "123456" was there just a problem, because the user names can be guessed from device codes.
GPS tracker becomes a bug
It is worrying that the GPS portal is apparently not only used by the app called "Aibeile", which communicates with the tracker bracelets. According to Hron, about 50 other apps are accessing the portal, which may reveal the same data transmission vulnerabilities. With apps like "Car Life" and "LKGPS" you can read out the location of a car.
In addition to the readable data stream, the tracking transmitters can also be remotely controlled, the researchers warn. In an attempt, Hron succeeded in forcing the GPS trackers to call a specific telephone number. So the carrier could be overheard. With commands via short messages, it was also possible to specifically query the current location.
The GPS trackers are available in various forms: The small devices are sold in the size of a USB stick that you can put in backpacks, or as a wristwatch. The technology is usually quite simple: The housing is usually a processor, a GPS sensor, a Sim card slot and in some models, a speaker and microphone.
With the GPS sensor, the device records the current location and sends the data over the mobile network to a server. There, parents or pet owners can retrieve the data and see in real time where the tracker is currently located. Among privacy advocates, this monitoring method is controversial.
Researchers recommend branded goods
The researchers advise against buying a cheap tracker. It is recommended that prospects "choose an alternative product of a more trusted brand that takes product safety into account," writes Hron. Anyone who already owns an affected GPS device should at least change the password so as not to make access to the tracking devices even easier.
Avast has made the Chinese company aware of the vulnerabilities, they say. Since there was no feedback, they have now decided to make the deficiencies public. Also on a request of the SPIEGEL on Friday morning, Shenzhen i365 Tech has not responded.