[ad_1]
According to researchers at the Avast security company, about 600,000 GPS trackers to monitor the location of children, the elderly and pets have vulnerabilities that open up users to a multitude of frightening attacks.
The devices from $ 25 to $ 50 are small enough to be worn on a collar or in a pocket in a pocket or compartment. Many also include cameras and microphones. They are marketed on Amazon and other online stores as inexpensive ways to ensure the safety of children, the elderly and pets. Ignoring the ethics of attaching an espionage device to the people we love is another reason for skepticism. Vulnerabilities of the T8 Mini GPS Tracking Locator and nearly 30 similar brands from the same manufacturer, Shenzhen i365 Tech, make users vulnerable to spying, espionage and identity theft attacks that distort the true user location.
Researchers at Avast Threat Labs found that the identification numbers assigned to each device were based on the international identity of mobile equipment, or IMEI. Worse, during the manufacturing, the devices were given exactly the same default password, namely 123456. The design allowed the researchers to find more than 600 000 devices in use with this word password. As if that were not enough, the devices sent all the data in clear text using easy-to-use commands.
As a result, people on the same network as the smartphone or Web application can monitor or change sensitive traffic. A useful command can send a text message to a phone chosen by the attacker. An attacker can use it to get the phone number associated with a specific account. From there, attackers in the same network could change the GPS coordinates that the follower reported or force the device to call a number of his choice and broadcast all sound within range of the microphone. Other commands allowed the devices to return to the factory settings, including the default password, or to install a firmware chosen by the attacker.
Another command allows attackers to change the IP address of the server with which the tracker communicates. Avast researchers exploited this weakness to implement a man-in-the-middle attack that allowed them to constantly control the device. From then on, attackers would no longer need to be connected to the same network as the smartphone or web application. They would be able to see and edit all plain text passing through their proxy.
The researchers also determined that all data transiting between the GSM network and the cloud server was not only unencrypted but also unauthenticated. The only thing that attached the device was its IMEI. The researchers said they had informed the T8 Mini trajectory detector vendor on June 24th of these vulnerabilities and that they had never received a response. Ars attempts to reach the representatives of the company were unsuccessful.
In a blog post scheduled for Thursday morning, Avast researchers identified 29 generic model names of a subset of the 600,000 Internet-connected trackers found with the help of a password. by default. They are:
T58
A9
T8S
T28
TQ
A16
A6
3G
A18
A21
T28A
AT 12
A19
A20
A20S
S1
P1
FA23
A107
RomboGPS
PM01
A21P
PM02
A16X
PM03
WA3
P1-S
S6
S9
GPS trackers can provide protection and peace of mind in appropriate cases, which require at a minimum the informed consent of the people being tracked. But Avast research shows that the capabilities of these devices can go both ways and make users more vulnerable than if they did not use any protection. People who have bought one of the vulnerable devices should stop using it immediately.
[ad_2]
Source link