An estimated 600,000 GPS trackers for monitoring the location of kids, seniors, and pets contain vulnerabilities that open users up to a host of creepy attacks, researchers from security firm Avast have found.
Researchers at Avast Threat Labs found that ID numbers assigned to each device were based on its International Mobile Equipment Identity, or IMEI. Even worse, during manufacturing, devices were assigned precisely the same default password of 123456. The design allowed the researchers to find more than 600,000 devices actively being used in the wild with that password. As if that wasn’t bad enough, the devices transmitted all data in plaintext using commands that were easy to reverse engineer.[My emphasis]
And the punchline is that since everything is unencrypted and the password is, well, what an idiot would use for a luggage combination, an attacker can change GPS coordinates and all sorts of stuff.
Bah. Dad (a history professor) used to like to say that history repeats itself because nobody listens the first time.