At least 600,000 GPS trackers manufactured by a Chinese company are using the same default password of "123456," security researchers from Czech cyber-security firm Avast disclosed today.

They say that hackers can abuse this password to hijack users' accounts, from where they can spy on conversations near the GPS tracker, spoof the tracker's real location, or get the tracker's attached SIM card phone number for tracking via GSM channels.

Over 30 GPS tracker models impacted

Avast researchers said they found these issues in T8 Mini, a GPS tracker manufactured by Shenzhen i365-Tech, a Chinese IoT device maker.

However, as their research advanced, Avast said the issues also impacted over 30 other models of GPS trackers, all manufactured by the same vendor, and some even sold as white-label products, bearing the logos of other companies.

All models shared the same backend infrastructure, which consisted of a cloud server to which GPS trackers reported, a web panel where customers logged in via their browsers to check the tracker's location, and a similar mobile app, which also connected to the same cloud server.

Image: Avast

But all this infrastructure was full of holes. While Avast detailed several issues in its report, the biggest was the fact that all user accounts (either from the mobile app or web panel) relied on a user ID and a password that were easy to guess.

The user IDs were based on the GPS tracker's IMEI (International Mobile Equipment Identity) code and was sequantial, while the password was the same for all devices -- 123456.

This means that a hacker can launch automated attacks against Shenzhen i365-Tech's cloud server by going through all user ID's one by one, and using the same 123456 password, and take over users' accounts.

While users can change the default after they log into their account for the first time, Avast said that during a scan of over four million user IDs, it found that more than 600,000 accounts were still using the default password.

Pervasive tracking and other attacks

Many customers buy the devices to track pets, elderly family members, kids, cars, or other valuable items. An attacker who gains access to one of these customer accounts can track victims, but they can also spoof the tracker's location to kidnap or steal a valuable product without the owner noticing until it's too late.

In addition, these devices come with microphones and SIM cards so children or elderly members can place SOS calls to authorities or family members.

Avast says account hackers can abuse this feature to place a phone call to their own number, answer the call, and then quietly spy on the GPS tracker owner.

Default password also puts vendor's profits in danger

But these default passwords aren't dangerous just for the owners of these GPS trackers. Avast says the Chinese company itself is in danger.

Researchers explain that accounts on the cloud service are created as soon as the GPS trackers are manufactured. They said that a malicious competitor could hijack these accounts before the devices are sold and chnage their passwords, effectively locking accounts and creating customer support problems for Shenzhen i365-Tech and its resellers later down the road.

Since Avast's research only looked at four million user IDs, the actual number of GPS trackers with default passwords is most likely much higher.

Unfortunately for everyone, the issue persists to this day, as Shenzhen i365-Tech did not respond to Avast's emails when the company tried to warn the vendor. Similar contact attempts made by ZDNet's sister site CNET didn't succeed either.

For now, users who own one of the 30+ GPS tracker models listed in the Avast report are advised to change their account passwords as soon as possible.