back to article Stalking cheap Chinese GPS child trackers is as easy as 123... 456 – because that's the default password on 600k+ of these gizmos

Concerned parents who strap GPS trackers to their kids to keep tabs on the youngsters may be inadvertently putting their offspring in danger. Hundreds of thousands of the gizmos ship with pathetic security, including a default password of 123456, allowing them to be potentially monitored by strangers, it is claimed. White hats …

  1. jake Silver badge

    When I were a lad ...

    ... we had the run of the neighborhood from after school to after dark, generally with a break for dinner/supper. And nobody had any clue where, exactly, we were. We got filthy, rode bikes without helmets, climbed trees, played in creeks, etc. This caused very, very few "incidents" where children were harmed beyond the odd skinned knee, twisted ankle or busted arm (for the truly adventurous, usually hailed as a hero by their peers). Most of us were happy and healthy.

    Today, apparently kids are going to die (or worse) the instant they are out of view of an adult, and so we make them more vulnerable than they have ever been by fitting them with insecure tracking devices that any wannabe most-wanted character can access. Most kids are bored stiff, totally out of shape, many have compromised immune systems and/or are overweight, and their parents are paranoid as all get out.

    Does anybody see anything wrong with this picture, or is it just me?

    1. sanmigueelbeer Silver badge
      Pint

      Re: When I were a lad ...

      Does anybody see anything wrong with this picture, or is it just me?

      Nah mate. It's just you.

      Kidding aside, you forgot to mention that the only "password" you need to remember is the one that opens the door to the "clubhouse".

      And it wasn't "123456" either.

    2. defiler

      Re: When I were a lad ...

      For the other side of that argument, when you hear on the news about kids going missing a 5-10-minute drive from where you live, that's going to spike your paranoia. And when the media loves to dwell on these cases because it spikes peoples' paranoia, it just reinforces the feeling that, as a parent, I can do something so I must do something.

      My kids are just a little young yet for me to feel concerned about that, but when they're older I'd rather they had a phone instead, and felt empowered to call us if they have concerns rather than being snooped on all the time.

      And yes, I cycled across Scotland a couple of times when I was a kid. Multi-day trips with my mates in youth hostels. Before I got flabby. Not saying you're wrong at all - I'm just saying that I understand the fear.

      1. TwistedPsycho

        Re: When I were a lad ...

        Like the cycling across the country of @defiler I used to wander all over the south coast by bus by about 13 or 14.

        I would not let my kids do it now though, because not only are there lots of stories of kids oping missing, but it also acts as fuel to the fire of people that have always thought of nefarious acts but never felt confident to act on it.

        I always liken this to the problem with paedophilia. A few decades ago, people who had illicit thoughts about children would hide away in their local community as being outed was inevitably going to become a big thing. Now the Internet allows lots of like minded people around the world to talk in real time and feel included in a community.

        People become more brazen when they feel included. People then fail to realise that if they are more open online, they are more likely to be caught.... hence more people being found.

        1. Kernel

          Re: When I were a lad ...

          "I always liken this to the problem with paedophilia. A few decades ago, people who had illicit thoughts about children would hide away in their local community as being outed was inevitably going to become a big thing. Now the Internet allows lots of like minded people around the world to talk in real time and feel included in a community."

          I think you'll find that most of the people who are having illicit thoughts about your children are actually hidden away amongst your family, friends and others that are already known to you.

    3. Anonymous Coward
      Anonymous Coward

      Re: When I were a lad ...

      Given the most common reason for me to be late home from school when I was a lad was a bomb warning (or one actually going off) on the train line between my home and school or on one of the police/army patrol routes or an attack on the police station between my home and school (etc etc) I can understand wanting to have a quick way to check were your kids are. Unfortunately there's been a spike in violence over the last year or so. A new generation that didn't have to grow up with that kind of violence is being recruited to kick start the next cycle so I can only see a growing market for such devices.

      1. Anonymous Coward
        Anonymous Coward

        Re: When I were a lad ...

        I had some similar experiences to yourself but nowhere near as bad. I'll hazard a guess that you are from NI. I grew up partially in West Germany as a British Forces dependant in the '70s and early '80s. Me and my brother learned how to check for devices under the car from age five or six. I'm sure you have similar skills that were acquired through no fault of your own.

        The fuckwits that glorify the sort of environment that means that kids regularly get to spend an extra break in the playground whilst EOD and the police whizz about doing a potentially nasty job are people I would rather were confined to history. There have been quite a few wobbles but in general I perceive the healing process is still going in the right direction and I doubt (pray) we will see the like of the troubles manifest as they used to again.

        If anyone is in any doubt, I used a particular term "the troubles" which may not look important. Look it up with respect to Eire and Northern Ireland, UK etc

    4. Anonymous Coward
      Anonymous Coward

      Re: When I were a lad ...

      But we are a more risk averse society. The same way as you would never think of locking your front door if you were just popping to the shops for an hour or so when I was younger. Nowadays many people in urban areas wouldn't ever leave their front door unlocked when not at home or even when sleeping. The risk adverse in led by media influence, greater access to information and the removal of more serious risks amplifying the less serious risks.

      However it has worked, reducing risk has resulted in less workplace injuries, lower rates of death and serious injury from car accidents, less deaths from complications in surgery, etc.

      Although we can all point to things we did when we were younger "and nothing happened to us" there are many cases where something did happen to someone and a child got taken and killed. Whether the risk is greater the access to news and information is greater and also steps to mitigate are available. So a parent of a child of a certain age - one who is on the cusp of being able to walk home alone from school alone for instance, may well be forgiven for seeing a device that costs a few pounds and thinking that it will give them reassurance that their child id on the way home or has stopped for some bubblegum at the shop or is actually in the back of a van on the way to Manchester. It's a small thing that may not make the child safer (and in this case could make them less safe) but for a parent they are, through culture and society influences, perhaps more risk averse than a generation who lived through a World War or two and had a different relationship to risk.

      1. Kiwi
        Childcatcher

        Re: When I were a lad ...

        So a parent of a child of a certain age - one who is on the cusp of being able to walk home alone from school alone for instance, may well be forgiven for seeing a device that costs a few pounds and thinking that it will give them reassurance that their child id on the way home or has stopped for some bubblegum at the shop or is actually in the back of a van on the way to Manchester.

        1) If I was so inclined, I'd be taking off anything that looked like one of these devices or,

        2) from the article, it's apparently fairly easy to spoof the location information - so the app may tell you they're in the lolly shop while they're actually in my van, quite far from manchester.

        Or 3) Said van made up somewhat faraday-like, and your handy tracking device let me know just when Billy took the short-cut through that quiet alley where no one would see me grab him.

        But if there's nothing like that to happen, the biggest problem is still the one Jake and I agree on - along with many others...

        4) The over-protection of kids means they're not prepared for adulthood. Their fitness and health levels are poorer than they should be, their confidence with climbing/swimming and other stuff (including surviving alone outdoors for a few ours/days in some disaster or emergency or...) is negligible to non-existent; in short they're destined to die young from preventable disease or accident where our generation had the skills and confidence to get through easily. The over-protection of young kids sets them up for disaster later. Just look at the incidence of childhood diabetes and heart-disease (including fatal heart attacks) in kids who haven't reached their 20th.

        I can understand the desire to protect, especially at a bad time. After a breakup with his GF of a couple of years, my nephew sent a lot of us a txt with one word - "Goodbye". It was another 3 or 4 hours before he was located (alive and well but very upset). I can understand wanting to know where a child or loved one is. But the price, the risk of what all this protection does - it's too great and the cost to this generation will be so much higher than we can imagine.

        Teach them smarts and teach them confidence, that's the best protection and sets them up to survive a whole lot of things. And remember, the odds of your kid being abused by someone in their own home are far far higher than the odds of them being abused by someone on the street.

        1. Anonymous Coward
          Anonymous Coward

          Re: When I were a lad ...

          I'm not agreeing that the devices should be used, just that I can understand why they would be desirable. In reality unless they get prevalent, a ne-er-do-well will not realise they have a tracker on them and would probably not be able to send fake GPS locations unless the target was a high value.

          However the bit about no-confidence to do xyz I just don't see and would need some reliable evidence for that. I'm pretty sure 18yo are far more likely to holiday or go travelling by themselves much more than I was or my parents generation were. There seems to be no obvious decrease in appetite for risk amongst teenagers from what I can see, so would like to know the evidence. The food related illnesses is far more likely to do with the availability of fast food, processed food and sugar rich foods than people putting trackers on their kids.

          This idea that "when I were a lad" ... "things were so much better" ... "the youth of today" etc. It's just generalism that has been stated ad-nauseum by the older generations for centuries. It is the thinking of Rees-Mogg. Kids nowadays have so much more opportunity and information available than when I was a youngster, and many of them take that and run with it.

          1. Kiwi

            Re: When I were a lad ...

            I'm not agreeing that the devices should be used, just that I can understand why they would be desirable.,

            Yes, I can see that myself - where little thought is put into it. Sadly, too few today spend any real time thinking about purchases (well, waay back when no one really thought much, but back then the frivolous spending was more likely to be a set of gaudy curtains than a tracking device for your kids)

            In reality unless they get prevalent, a ne-er-do-well will not realise they have a tracker on them and would probably not be able to send fake GPS locations unless the target was a high value.

            That's the sort of thinking I'm sure they want you to have. You don't think the paedo chat rooms (if there's any still around?) aren't already all over this? There may be a bit of a gulf between their dreams and their abilities, but some will have the resources to abuse this. Many people will think there isn't any near them, but why take the risk?

            However the bit about no-confidence to do xyz I just don't see and would need some reliable evidence for that. I'm pretty sure 18yo are far more likely to holiday or go travelling by themselves much more than I was or my parents generation were. There seems to be no obvious decrease in appetite for risk amongst teenagers from what I can see, so would like to know the evidence. The food related illnesses is far more likely to do with the availability of fast food, processed food and sugar rich foods than people putting trackers on their kids.

            Look around. Kids are less likely to be sent outside or even allowed outside to play. They're more likely to be inside on their playstation. I wasn't allowed inside during the day unless I was playing in the yard and needed the toilet or it was a weekend and I was coming in for lunch. Otherwise I could be anywhere (once any chores were done - that's how we got spending money, did work at home or work for someone else like a paper run) and sometimes was 3 towns over, perhaps an hour's ride away.

            My parents trusted me and taught me to be trustworthy. Taught me to go out by myself and look after myself.

            We had sugar-rich drinks and fast food and the like, but they were a rare treat - even amongst the richer kids - not an every day item. We'd share a half-pint bottle of coke between 2 or 3 of us once a week, not expect to go through 3 or 4 litres of the stuff each every day.

            Want to put it to the test? Walk outside on the next fine weekday and see how many kids walk or ride past your house, how many play in the street (if your street is quiet enough). Go to the local playground. Is it filled with playing kids? Or is the only sound the chirping of crickets? When I was young the playgrounds were full, the streets were playgrounds for those who could, and kids walked or cycled alone or in groups - always without parents. Can you spot that in your community today? Do they still walk/bike to school? Do they still go to the playgrounds on their own or in groups of friends?

            It may not have changed where you live. It has where I live, and it has where I grew up. The thought of getting their arses off the couch has the fat little buggers panting and wheezing. The concept of being away from their devices causes them to have massive panic attacks. And social interaction? Forget it.

            (At least more and more schools are getting over the "ban anything that might get them hurt" stage and getting back into the "get off your fat arse, get outside and play" stage)

      2. Michael Wojcik Silver badge

        Re: When I were a lad ...

        Although we can all point to things we did when we were younger "and nothing happened to us" there are many cases where something did happen to someone and a child got taken and killed

        How many? Is it statistically significant? Is the difference between that supposed era of prelapsarian childhood freedom and today's supposed era of increased risk aversion statistically significant? Or is this just handwaving bullshit?

        Ciation fucking needed.

    5. Michael Wojcik Silver badge

      Re: When I were a lad ...

      Does anybody see anything wrong with this picture, or is it just me?

      Tulley's Beware Dangerism! is a comforting rant on the subject.

      In the US, violent crime rates have dropped significantly since 1990. In fact, the 2014 rate is only a little more than half the 1991 rate. I believe (but can't be bothered to check) that for at least a couple of decades prior to 1990 the rates were similarly high.

      The uptick since 2014 is minor; 2016's rate, the peak of the uptick, is still lower than any year before 2013.

      Unless someone has a compelling argument that the reporting rate has dropped drastically, or that the methodology is severely flawed, it appears that for the US, at least, the rise of dangerism is entirely due to false perception and a severe drop in risk tolerance. And people like Tammy Cooper are victims of the institutionalization of an oppressive and unjustified ideology.

  2. Phil Bennett

    123456?

    That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage!

    1. Erroneous Howard

      Re: 123456?

      That's amazing. I've got the same combination on my luggage!

      1. OssianScotland

        Re: 123456?

        So have I - I thought no-one else would use it!

        1. Stuart Castle Silver badge

          Re: 123456?

          I, on the other hand, am sneaky. Mine is 654321.

          1. Aussie Doc
            Coat

            Re: 123456?

            Damn, I thought nobody else would have thought of that. Need the other lock now -->

  3. Winkypop Silver badge

    Sun rule

    As a kid we operated by the sun.

    Up at sunrise, out of the house.

    Dusk to sunset, back home.

    We had a national park at our doorstep to explore!

  4. SloppyJesse

    White hat botnet

    Unfortunately the people buying these are unlikely to be reading articles like this. And if they are they may well justify that it's all too technical for Pete the Paedo to use to target little Jimmy.

    The only way this is likely to be taken seriously is a very visual demonstration of how much data is available - anyone got a bot net to hijack and track them all for 7 days and publish it all on a map? That's the kinda thing that might get some attention. Of course we'd also have to contend with the big data slurpers and usual TLAs that actively play down any data privacy issues in case it results in rules that impact their own activities.

    1. Kiwi
      Pint

      Re: White hat botnet

      The only way this is likely to be taken seriously is a very visual demonstration of how much data is available

      I've tried. Not with this, but with a all-singing all-dancing alarm/CCTV system. Showed the person how trivial it was to get in to and disable using a laptop out front of their property.

      "But no burglar would ever think to try that", or objections to that effect.

      No matter how much you educate the general population, you're still dealing with people with an average IQ. You're dealing with people who publish all their life details on farcebork etc, who tell everyone when they're away from home and how long for, who give everyone their pets names via social media, link to their parents and grandparents (esp on their mom's side) profiles, and act surprised when people know what should be 'private information' about them.

      Do your best, I applaud your efforts and will be helping as best I can in my bit of the trench, but don't expect intelligent responses to this potentially grave threat. They can safely ignore you because it won't happen to them.

      If you can save one child though, you're a bloody hero and it was worth the effort after all!

  5. Christoph

    Never mind the hackers, what about the parents?

    "eavesdrop on the built-in microphone"

    What does it do to those children, knowing that their parents can listen in on everything that they say or is said to them? Any time, any place, they are under constant monitoring. That could have life-long effects. It certainly won't lead them to trust their parents in anything.

    1. Kiwi
      Pint

      Re: Never mind the hackers, what about the parents?

      What does it do to those children, knowing that their parents can listen in on everything that they say or is said to them?

      For many, especially the younger ones, they probably won't mind so much. But it will teach them to expect constant monitoring, like it's a normal thing.

      When they get to puberty (or just before), it will be a much different manner. And there's that age around 7 or 8 where they start to get rather privacy-concious, and wouldn't want mum listening in while they're in the toilet. That I can see causing the kids some psychological issues, perhaps major.

      Whatever way you look at it, this is NOT a good thing!

      (A lot of us had our trust eroded when we learned about Santa Claus etc)

  6. Kiwi
    Paris Hilton

    "parents who wish to use GPS gear to track their kids' whereabouts would be well-advised not to..."

    "...parents who wish to use GPS gear to track their kids' whereabouts would be well-advised not to..." have kids in the first place.

    Bad enough we have the mass giving away private info to whoever for whatever reasons that they're bring brought up with, but now to also have them carrying tracking devices[1] that also monitor their conversations?

    Years back, based on my reading of the Bible, even before GPS was commonly used, I used to say stuff like this would come about and it'd be sold first to monitor crims then later to monitor kids. Used to get mocked (and no doubt will do again here, how can I claim the Bible said this 2,000 years ago before they had electricity??) but who's laughing now? Well, not me I'm afraid.

    I hope this gets badly enough abused to scare people well away from this sort of thing, but sadly I also see wide-open WiFi cameras still get installed, alarm systems with terrible insecure base units and terrible insecure apps still get installed, people trust their homes to electronic locks with RFID or NFC-based "keys", and use those magnetic locks (with 200kg of force!) to "lock" their doors. I may weigh less than 80kg, but I wonder how much force I could generate if I took a run at your door. Probably even a sturdy kick. Of course, the WiFi camera shows me when you're not home, the crappy creapy app can help me confirm I'm jamming your outbound signals and turning off your mains switch - that magnet may have a battery backup but I wonder if it'll last the day while you're at work?

    Anyway.. Point is I hope people get scared of these but I expect they'll ignore the warnings and lap them up. After all they're not aware that Mr Herbert down the road is listening in and even watching their kids through the thing (if it can hold photos I'm assuming it has a camera of some sort?), perhaps whispering ideas while the kid is asleep (dunno how effective that would be but if I was so inclined I'm sure I'd give it a try)

    </YAAR>[2]

    [1] Yes I know mobes can be used to track people, but few of us consider them as 'tracking devices', unlike a device designed for that sole purpose

    [2] Yet Another Annoying Rant

  7. Kiwi

    Could be worse...

    oblig Dilbert

  8. Michael Wojcik Silver badge

    Oh, it gets worse

    Troy Hunt (of haveibeenpwned fame) did a fairly thorough investigation of one of these kidbug devices. It's a horror. Many of these things present a considerable net threat under reasonable threat models.

  9. Mike 137 Silver badge

    A rather obvious alternative

    Supposing such devices are a good idea in principle, why do they communicate with a centralised online "portal" parents can log into? That creates several points of failure and a large attack surface. The safest alternative would be for the individual device to be configurable to talk directly and solely to a specific phone. But of course there'd be no monetisable "service" then, so what a stupid idea.

  10. Stu J

    Kite Mark?

    About time we had some sort of Kite Mark/CE certification for IoT crap that at the very least checked that it wasn't this bloody easy to hack...

    1. Kiwi
      Paris Hilton

      Re: Kite Mark?

      I thought CE meant "Close Enough"????

      1. John Brown (no body) Silver badge

        Re: Kite Mark?

        No, it means "China Export". "Close Enough" would be a huge improvement.

  11. mark4155

    If I was a child now...i'm not...wearing a tracking device. I would return home some hours later and tell my parents it had been nicked or lost. Sorry f**k that. Let kids be kids. Technology is great, wrapping children in cotton wool is not.

  12. razorfishsl

    Took some of these apart.....

    Basically they are "dog" trackers... with a default piss-poor firmware... full of zero-day exploits, that is loaded into a broadband decoder chip, usually 8051 based...

    Even worse!!!.. they can be re-configured via SMS, some can even be re-programmed over the same protocol...

    These guys have only scratched the surface...

    Same kind of garbage in those bikes.... not even going to say what you can do with those as regards to SMS foreplay..........

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like