GPS trackers for kids exposed real-time location and had default password 123456

If there's anything worse than picking an easy-to-hack password, it's being assigned a default easy-to-hack password for your GPS tracker. And, yet, that's what reportedly happened to at least a half million people.

A report from cybersecurity firm Avast, as reported by The Next Web, found that 29 models of trackers made by Chinese company Shenzhen i365 Tech had vulnerabilities that may have exposed the data of more than 600,000 users.

Each account was assigned an ID number and default password, which just happened to be "123456." For more than 100,000 users, the exposed data included real-time location information. The report also claimed that design flaws in the trackers allowed "third-parties to 'spoof' (or fake) the user’s location, or access the microphone for eavesdropping."

Making matters even worse: these GPS devices were designed to help parents track their children. 

Avast shared a detailed blog post that really gets into the nitty-gritty of their research and how they investigated these vulnerabilities. They scanned 4 million devices and came up with more than 600,000 devices still using the default "123456" passwords.

Then, they scanned a subset of 1 million of those 4 million devices and found it was possible to locate 167,000 of them. Not great! Avast says they made the manufacturer aware of the flaws in late June 2019 but has yet to hear back.

Avast also reports they never heard back from the company and points out that, though they're made in China, the trackers are sold under various brand names on Amazon, eBay, and Alibaba all over the globe, including in Brazil, Australia, and, yes, the United States.