A GPS tracker used as a panic alarm has major security flaws that can leak users’ real-time location and allow it to be remotely deactivated, say UK cyber-security researchers. They are calling for an immediate recall.
Manufactured in China, the devices are bought in bulk and resold by several companies around the world. While the device itself doesn’t have internet connectivity, it does use a SIM card to connect to a cell network for location tracking. However, almost anyone can give the device commands by knowing its phone number and sending it a text.
Commands can allow the device’s current location to be divulged and its built-in microphone to be listened to remotely. It can also be turned off completely – all without the user’s knowledge.
The staggering security breach was uncovered by researchers at British cybersecurity firm Fidus Information Security, who have published a report about their astonishing findings. The researchers note that while the SIM can be protected with a PIN, that setting it not enabled by default and the device can still be reset without needing a PIN.
Marketed as an alarm and panic button for the elderly, a monitoring device for children or a car tracker, the device is utilized by thousands of vulnerable people who think it’s keeping them safe, wrote Fidus.
“This device is marketed at keeping the most vulnerable safe and yet anybody can locate and listen into thousands of people’s lives without their knowledge,” warns Fidus director Andrew Mabbitt, TechCrunch reports.