In addition to this, the user account, which is associated with an ID number, comes shipped with a default password of 123456. The researchers found that the ID number is not assigned randomly, it is associated with the device’s IMEI number. An IMEI number is a 15-digit identifier given to mobile and satellite phones. With this knowledge, the researchers could log into the accounts of about 25% of the devices in the sequence of IMEI numbers. This would allow them to see the real-time location of the devices on that account. Avast estimated that over half-a-million people are using GPS trackers affected by these vulnerabilities.
Despite the manufacturer’s location in China, the researchers found that the GPS trackers were also widely used in the United States and elsewhere around the world. Avast attempted to privately contact the manufacturer about these vulnerabilities but have not received a response. A senior researcher stated that "we have done our due diligence in disclosing these vulnerabilities to the manufacturer, but since we have not heard back after the standard window of time, we are now issuing this public service announcement to consumers and strongly advise you to discontinue use of these devices." When shopping for any IoT devices, it can be tempting to go with the low-cost, off-brand option, especially when that name-brand device can be so much more expensive. However, the cheaper option is often skimped on or has simply not included basic security measures to reduce the cost. The researchers advised consumers to do their research and buy from respected vendors. These devices are designed to provide peace of mind but in reality, they make the wearer more vulnerable, not less.