600,000 GPS trackers left exposed online with a default password of '123456'

Found on ZDNet on Saturday, 07 September 2019
Browse Technology

Avast researchers said they found these issues in T8 Mini, a GPS tracker manufactured by Shenzhen i365-Tech, a Chinese IoT device maker.

Avast said the issues also impacted over 30 other models of GPS trackers, all manufactured by the same vendor, and some even sold as white-label products, bearing the logos of other companies.

A hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts.

Unfortunately for everyone, the issue persists to this day, as Shenzhen i365-Tech did not respond to Avast's emails when the company tried to warn the vendor. Similar contact attempts made by ZDNet's sister site CNET didn't succeed either.

It could be really simple: every device that comes with some sort of authentication has to have a unique random password that's printed onto a label on the device, and which has to be changed to something different when the device is first used. Companies which do not follow these guidelines will face hefty fines and already sold devices will be recalled.