A CHINESE MANUFACTURER of inexpensive GPS tracking devices for pets, cars, children and elderly relatives has been incredibly lax in its security, shipping the devices with the default password of "123456" to millions of customers.
After finding this weakness in Shenzhen i365-Tech's T8 Mini GPS tracker, researchers from Avast found the same problem affected more than 30 other models of GPS tracker in the company's catalogue, often sold as white-label products with other company branding.
Each one requires users to log in via a web panel or mobile app to check the device's location, with both connecting to the same cloud server. The horrible password choice was matched by an easily guessable user ID system, which is based on the sequential IMEI number of each device sold.
There's not really a good spin on this, unless you consider it an act of kindness to the alarming number of people who still make this uncrackable series of numbers their password of choice.
And while users can change the password for themselves after setting up, a worrying number are just leaving the default. Avast scanned four million devices and found over 600,000 of those had kept ‘123456'. Suffice it to say the actual number is likely higher, as Avast capped the number of scans to four million.
While this is obviously bad news for owners of the devices, it's not great news for Shenzhen i365-Tech either. The researchers say that given the IMEI numbers and passwords are so predictable, a mischievous competitor could hijack the hardware before it's sold by changing the password, essentially making them dead on arrival once shipped.
The company didn't respond to Avast when it disclosed the problem, so it lives on. If you happen to have such a device, change the password. In fact, let's just make it a rule that we always change default passwords, okay? µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks