Threat Research

Avast discovers widespread security flaws in GPS child trackers

Threat Intelligence Team, 5 September 2019

Researchers warn consumers about vulnerabilities affecting nearly 30 models for sale on large online retailers

Avast researchers have discovered serious security vulnerabilities in some 600,000 child trackers for sale on Amazon.com and other large online merchants. The devices expose data sent to the cloud, including the exact real-time GPS coordinates of children.

Twenty-nine models of trackers – made by the Chinese manufacturer, Shenzhen i365 Tech and resold through various brands – showed the vulnerabilities. Avast Threat Labs first analyzed the T8 Mini child tracker and found the companion mobile app is downloaded from an unsecured website, exposing the users’ information. Further security issues involved user account information, which comes with an assigned ID number and default password of 123456. Design flaws in the trackers can also enable third-parties to “spoof” (or fake) the user’s location, or access the microphone for eavesdropping. 

Martin Hron, senior researcher at Avast who led this research, advises consumers to opt for an alternative product from a more trustworthy brand that has built security into the product design. As with any off-the-shelf “smart” device, Avast recommends changing the default admin passwords to something more complex. However, in this case, even that would not stop a motivated hacker from intercepting the unencrypted traffic. 

"We have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this Public Service Announcement to consumers and strongly advise you to discontinue use of these devices,” Hron said.  Researchers believe these IoT security issues go far beyond the scope of a single vendor. Fifty mobile applications on both Google Play and iOS App Store share the same unencrypted platform discussed above, they said.    

Listen to Avast Senior Researcher Martin Hron and Head
of Product Delivery, Leena Elias, discuss this case
with the Avast blog.

Leena Elias, head of product delivery for Avast, urges the public to take caution when bringing cheap or knock-off smart devices into the home. “As parents, we are inclined to embrace technology that promises to help keep our kids safe, but we must be savvy about the products we purchase,” she said. 

For a deep-dive analysis of the security flaws found in the T8 Mini GPS tracker, please visit the Avast Decoded threat intelligence blog