The cybersecurity researchers at Avast have disclosed that about 29 models of GPS tracking devices used in keeping tabs on children manufactured by Chinese companies, come with a number of vulnerabilities.
While the GPS tracking devices are estimated to be over 500,000 (available for purchase on Amazon and some other online merchants) all come shipped with "123456" as the default password, which an attacker could easily break into as most of the users never bothered to change the default password.
The vulnerabilities stems from the fact that communication between the 'Cloud and GPS trackers' and 'Cloud and the device's mobile Apps' and 'Users and the device's web application' were done over unencrypted HTTP protocol, leaving it open to man-in-the-middle (MiTM) attackers who could intercept the data with unauthorized commands.
As communications via the web application is over HTTP; the JSON requests are also in plaintext and unencrypted, allowing an tracker to call an arbitrary mobile number, which when connected would enable them to listen to the tracker through the other party without trace.
Again the communication in text-based protocol lacks any form of authorization, which process works by identificartion of the tracker by its IMEI number.
The researchers also discovered that remote attackers could obtain the real-time GPS coordinates of any target device by simply sending SMS to the mobile number associated with the SIM card which is to provide DATA and SMS capabilities to the device.
Albeit, the attackers would need to first know the associated mobile number and password on the tracker to be able to carry out an attack, though it can be exploited by the cloud/mobile app flaws to authorize the tracker to send SMS to an arbitrary mobile number by itself, allowing the attackers to obtain the trackers specific mobile number.
Once access is gained to the device's mobile number and given that the default password '123456' remains for most of the devices, the attacker can easily use the SMS as attack vector.
The researchers, however claimed to have since notified the manufacturerers of the GPS tracking devices critically affected by the security vulnerabilities, as well as the vendors, but still no response.