Video | Agriculture | Confidence | Economy | Energy | Employment | Finance | Media | Property | RBNZ | Science | SOEs | Tax | Technology | Telecoms | Tourism | Transport | Search

 

Avast discovers security flaws in GPS trackers

Digital security vendors Avast [LSE:AVST] have discovered serious security vulnerabilities in the T8 Mini GPS tracker and nearly 30 other models by the same manufacturer, Shenzhen i365 Tech. Marketed to keep kids, seniors, pets, and even possessions safe, instead these devices expose all data sent to the cloud, including exact real-time GPS coordinates.

Further, design flaws can enable unwanted third-parties to spoof the location or access the microphone for eavesdropping. Researchers at Avast Threat Labs estimate that there are 600,000 unprotected trackers in use globally, but emphasise that these IoT security issues go far beyond the scope of a single vendor.

To date, more than 80 units have been traced to New Zealand, with potentially several times that number currently operational locally.

Martin Hron, senior researcher at Avast who led this research, advises buyers of these products to opt for an alternative from brands that have built security into the product design, specifically secure login and strong data encryption. As with any off-the-shelf device, we recommend changing the default admin passwords to something more complex; however, in this case, even that will not stop a motivated individual from intercepting the unencrypted traffic. “We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Hron said.

Red flags right out of the box

Avast Threat Labs first analyzed the T8 Mini onboarding process, following the instructions to download the companion mobile app from http://en.i365gps.com — notably, a website served over HTTP protocol as opposed to the more secure HTTPS. Users can then login to their account with their assigned ID number and very generic default password of “123456”. This information was transmitted over insecure HTTP protocol, too.

The ID number is derived from the International Mobile Equipment Identity (IMEI) of the device, so it was easy for researchers to predict and enumerate possible ID numbers of other trackers by this manufacturer. Combined with the fixed password, practically any device following this sequence of IMEI numbers would be able to be broken into with little effort.

Everything is unencrypted

Using a simple command lookup tool, researchers discovered that all of the requests originating from the tracker’s web application are transmitted in unencrypted plain-text. Even more concerning, the device can issue commands beyond the intended uses of GPS tracking, such as:

• Call a phone number, enabling a third-party to eavesdrop through the tracker’s microphone

• Send an SMS message, which could allow an attacker to identify the phone number of the device and thus use inbound SMS as an attack vector

• Use SMS to reroute communication from the device to an alternate server in order to gain full control of the device or spoof information sent to the cloud

• Share a URL to the tracker, allowing a remote attacker to place new firmware on the device without even touching it, which could completely replace the functionality or implant a backdoor

Unsurprisingly, the companion mobile app AIBEILE (on both Google Play and iOS App Store) was also found communicating with the cloud through a non-standard HTTP port, TCP:8018, sending unencrypted plain-text to the endpoint. Upon dissecting the device itself to analyze how it speaks to the cloud, Avast Threat Labs confirmed that the data again travels unencrypted from the GSM network to the server without any authorization.

What consumers should take away from this research

In addition to the device that is the focus of this research, Avast has identified 29 other models of GPS trackers containing these security vulnerabilities — most of which are made by the aforementioned vendor — as well as 50 different mobile applications sharing the same unencrypted platform discussed above. Researchers estimate there are more than 600,000 devices in the wild with default “123456” passwords and upwards of 500,000 downloads of the mobile apps. Repeated notifications to the device maker revealing the flaws received no response.

Leena Elias, head of product delivery for Avast, urges the public to take caution when bringing cheap or knock-off smart devices into the home. “As parents, we are inclined to embrace technology that promises to help keep our kids safe, but we must be savvy about the products we purchase,” she said. “Beware of any manufacturers that do not meet minimum security standards or lack third-party certifications or endorsements. Shop only with brands you trust to keep your data safe — the extra cost is worth the peace of mind.”

For a deep-dive analysis of the security flaws found in the T8 Mini GPS tracker, please visit the Avast Decoded threat intelligence blog. To hear Leena and Martin discuss the implications for parents, watch this video on the Avast blog.


© Scoop Media

 
 
 
Business Headlines | Sci-Tech Headlines

 

Up 0.5% In June Quarter: Services Lead GDP Growth

“Service industries, which represent about two-thirds of the economy, were the main contributor to GDP growth in the quarter, rising 0.7 percent off the back of a subdued result in the March 2019 quarter.” More>>

ALSO:

Pickers: Letter To Immigration Minister From Early Harvesting Growers

A group of horticultural growers are frustrated by many months of inaction by the Minister who has failed to announce additional immigrant workers from overseas will be allowed into New Zealand to assist with harvesting early stage crops such as asparagus and strawberries. More>>

ALSO:

Non-Giant Fossil Disoveries: Scientists Discover One Of World’s Oldest Bird Species

At 62 million-years-old, the newly-discovered Protodontopteryx ruthae, is one of the oldest named bird species in the world. It lived in New Zealand soon after the dinosaurs died out. More>>

Rural Employers Keen, Migrants Iffy: Employment Visa Changes Announced

“We are committed to ensuring that businesses are able to get the workers they need to fill critical skills shortages, while encouraging employers and regions to work together on long term workforce planning including supporting New Zealanders with the training they need to fill the gaps,” says Iain Lees-Galloway. More>>

ALSO:

Marsden Pipeline Rupture: Report Calls For Supply Improvements, Backs Digger Blame

The report makes several recommendations on how the sector can better prevent, prepare for, respond to, and recover from an incident. In particular, we consider it essential that government and industry work together to put in place and regularly practise sector-wide response plans, to improve the response to any future incident… More>>

ALSO: