Shenzhen i365 Tech: T8 Mini GPS trackers

2019: Detection of vulnerability in the GPS T8 mini tracker

On August 6, 2019 the company Avast reported that it detected serious vulnerabilities in GPS tracker T8 mini from the company Shenzhen i365 Tech.

According to the company, researchers found vulnerabilities and in other models of this producer: in total for September, 2019 30 trackers have problems with security, including trackers for security of children, elderly people, pets and property. Instead of this device allow the third parties to obtain all data from a cloud, including exact GPS coordinates, in real time. Besides, malefactors can forge location or get access to the microphone for listening.

According to the estimates of researchers of Avast Threat Labs, for September, 2019 in the world about 600,000 unprotected trackers are used. At the same time specialists emphasize that security of IoT-devices leave far beyond products of one supplier.

Martin Hron, the security expert of Avast company directing this research advises when choosing the GPS tracker to consider products from a brand which more shows consideration for security of the devices. It is important that solutions on security were built already in a product, especially it concerns difficult passwords and reliable data encryption.

For devices of this kind there is the general rule: it is obligatory to change standard passwords by default to more difficult. But in case of devices from this producer even such security measures will not prevent the malefactor to intercept the ciphered traffic.

Specialists of Avast Threat Labs began with the analysis of process of connection of T8 Mini, following instructions for loading of the accompanying mobile application with http://en.i365gps.com.

The website was serviced under the HTTP protocol, but not on safer HTTPS. Users can log in to the account with the personal assigned identification number and the general password by default "123456" — information is also transferred under the unsafe HTTP protocol.

The identification number is got from the International mobile equipment identity (IMEI) of the device therefore it was easy for researchers to predict and list possible identification numbers of other trackers of this producer. In combination with the general password practically any device following this sequence numbers IMEI can be cracked with little effort.

Researchers found out that all requests proceeding from the web application of the tracker are transferred in not encrypted form. Even more important the fact that malefactors can force the device to execute commands which initially were not assumed, for example:

• call the phone number to wiretap the GPS tracker microphone;
• send the Sms to define phone numbers of the device and then to use the SMS as an attack vector;
• using Sms to redirect calls from the device on the alternative server — to receive full control over the device or to forge information sent to a cloud;
• provide the tracker URL address far off to install a firmware on the device which completely will replace functionality of the device or to implement a backdoor.