Incident Details

Incident: Default Password Vulnerability in Shenzhen i365 Tech GPS Trackers.

Published Date: 2019-09-06

Postmortem Analysis
Timeline	1. The software failure incident with the Chinese-made GPS trackers from Shenzhen i365 Tech happened in June 2019 as per the article published on September 6, 2019 [Article 89928].
System	1. T8 Mini GPS trackers from Shenzhen i365 Tech 2. Default password "123456" 3. IoT devices with weak security standards 4. Unencrypted requests from the GPS tracker's apps 5. Lack of response from Shenzhen i365 Tech to security warnings [89928]
Responsible Organization	1. Shenzhen i365 Tech - The company responsible for manufacturing the Chinese-made GPS trackers with dangerous vulnerabilities, including the default password flaw, which led to the software failure incident [89928].
Impacted Organization	1. Users of the T8 Mini GPS trackers from Shenzhen i365 Tech, including children, senior citizens, pets, and luggage, who had their real-time location data exposed due to the default password vulnerability [Article 89928].
Software Causes	1. The default password "123456" set by the manufacturer for the GPS trackers was a major software cause of the failure incident, making it easy for hackers to gain access to people's real-time location data [Article 89928]. 2. Weak security standards in the Internet of Things (IoT) devices, including the lack of encryption for requests from the GPS tracker's apps, allowed anyone on the same Wi-Fi network to take control of the device, potentially leading to eavesdropping on conversations and exposure of sensitive data [Article 89928].
Non-software Causes	1. Weak security standards in Internet of Things (IoT) devices, including default passwords, which are a common flaw for connected gadgets [Article 89928]. 2. Lack of encryption for requests from the GPS tracker's apps, allowing anyone on the same Wi-Fi network to take control of the device [Article 89928]. 3. Failure of the manufacturer, Shenzhen i365 Tech, to respond to warnings about critical security issues despite multiple outreach attempts by Avast [Article 89928].
Impacts	1. The default password "123456" for the Chinese-made GPS trackers from Shenzhen i365 Tech led to major security vulnerabilities, allowing hackers to access people's real-time location data [Article 89928]. 2. More than 600,000 GPS trackers from Shenzhen i365 Tech were estimated to have this security flaw, potentially exposing a large number of users to privacy risks [Article 89928]. 3. The unencrypted nature of the requests from the GPS tracker's apps allowed anyone on the same Wi-Fi network to take control of the device, potentially enabling hackers to eavesdrop on conversations and access sensitive data [Article 89928]. 4. Despite attempts by cybersecurity company Avast to warn Shenzhen i365 Tech about the critical security issues, the manufacturer did not respond, leading to a lack of resolution for the vulnerabilities [Article 89928].
Preventions	1. Implementing strong and unique default passwords for each device model to prevent easy access by hackers [89928]. 2. Encrypting all communication between the GPS tracker and online servers to protect sensitive data from interception [89928]. 3. Conducting thorough security testing and vulnerability assessments before releasing the product to identify and address potential flaws [89928]. 4. Responding promptly to security alerts and warnings from cybersecurity researchers to address critical issues in a timely manner [89928].
Fixes	1. Implementing strong, unique passwords for each device instead of default passwords like "123456" [Article 89928]. 2. Encrypting all requests from the GPS tracker's apps to prevent unauthorized access on the same Wi-Fi network [Article 89928]. 3. Encrypting sensitive data, such as location coordinates, before sending it to online servers to protect user privacy [Article 89928]. 4. Responding promptly to security warnings and addressing critical security issues raised by cybersecurity researchers to ensure the safety and security of the devices [Article 89928].
References	1. Security researchers from cybersecurity company Avast [Article 89928]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to default passwords and security vulnerabilities in GPS trackers from Shenzhen i365 Tech is an example of a recurring issue within the same organization. The article mentions that the default password "123456" is a common flaw across nearly 30 other models in the company's lineup, indicating a pattern of poor security practices within the organization [Article 89928]. (b) Additionally, the article highlights that default passwords are a common flaw for connected gadgets in general, not just limited to Shenzhen i365 Tech. Lawmakers are concerned about the weak security standards of IoT devices, and California even passed a law prohibiting IoT devices from having default passwords. This suggests that similar incidents have occurred with other organizations and their products, indicating a broader industry problem with default passwords and security vulnerabilities in IoT devices [Article 89928].
Phase (Design/Operation)	design, operation	(a) The software failure incident related to the design phase is evident in the case of the Chinese-made GPS trackers from Shenzhen i365 Tech. The devices were shipped with a default password "123456," which was the same for nearly 30 other models in the company's lineup. This design flaw allowed hackers to easily access people's real-time location data once they figured out the default password. The default password being easily guessable and not unique to each device highlights a significant vulnerability introduced during the system development phase [89928]. (b) The software failure incident related to the operation phase is seen in the unencrypted nature of all requests from the GPS tracker's apps. This lack of encryption meant that anyone on the same Wi-Fi network could take control of the device, potentially hijacking the tracker's microphone and eavesdropping on conversations. Additionally, sensitive data, including location coordinates, was sent to online servers without encryption, further exposing user data to potential threats. These operational vulnerabilities were introduced by the way the system was operated and maintained, making it susceptible to misuse and exploitation [89928].
Boundary (Internal/External)	within_system	(a) The software failure incident related to the Chinese-made GPS trackers from Shenzhen i365 Tech can be categorized as within_system. The failure was primarily due to the default password "123456" being set for the GPS trackers, which extended to nearly 30 other models in the company's lineup. This default password vulnerability allowed hackers to gain complete access to people's real-time location data once they figured out the password [Article 89928]. Additionally, the unencrypted nature of all requests from the GPS tracker's apps and the sensitive data being sent to online servers without encryption were internal system vulnerabilities that further contributed to the software failure incident [Article 89928].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident occurring due to non-human actions: The software failure incident in this case is primarily due to non-human actions, specifically the dangerous vulnerabilities present in the Chinese-made GPS trackers manufactured by Shenzhen i365 Tech. These vulnerabilities include the usage of a default password "123456" across multiple models, unencrypted requests from the tracker's apps, and the exposure of sensitive data during transmission to online servers. These flaws were identified by security researchers from Avast, highlighting the inherent security weaknesses in the IoT devices [Article 89928]. (b) The software failure incident occurring due to human actions: The software failure incident can also be attributed to human actions, particularly the decisions made by the manufacturer, Shenzhen i365 Tech. Despite being aware of the critical security issues in their GPS trackers, the company did not respond to warnings from Avast and failed to address the vulnerabilities in a timely manner. This lack of response and action on the part of the manufacturer contributed to the continuation of the security flaws in the devices, ultimately leading to the software failure incident [Article 89928].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident reported in the articles is primarily due to hardware-related issues. The Chinese-made GPS trackers from Shenzhen i365 Tech were found to have dangerous vulnerabilities, such as having "123456" as their default password across multiple models. This hardware-related flaw in the design and implementation of the GPS trackers' security features allowed hackers to gain complete access to people's real-time location data [Article 89928]. (b) The software failure incident also has software-related aspects. The default password vulnerability, unencrypted requests from the GPS tracker's apps, and the lack of encryption for sensitive data being sent to online servers are all software-related weaknesses that contributed to the security flaws in the GPS trackers. These software vulnerabilities allowed potential hackers to exploit the devices and compromise user data [Article 89928].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident in this case is malicious. Security researchers discovered dangerous vulnerabilities in Chinese-made GPS trackers from Shenzhen i365 Tech, including the use of the default password "123456" across multiple models [Article 89928]. Hackers could exploit this flaw to gain complete access to people's real-time location data, potentially compromising the safety and privacy of individuals using these devices. Additionally, the unencrypted nature of the tracker's app requests could allow unauthorized individuals to take control of the device, such as hijacking the microphone to eavesdrop on conversations [Article 89928]. Despite attempts by Avast to notify Shenzhen i365 Tech about these critical security issues, the manufacturer did not respond, prompting a public service announcement advising consumers to discontinue the use of these vulnerable devices [Article 89928].
Intent (Poor/Accidental Decisions)	poor_decisions	(a) The software failure incident related to the Chinese-made GPS trackers from Shenzhen i365 Tech can be attributed to poor decisions made by the manufacturer. The default password "123456" being set for all devices and not being changed for nearly 30 other models in the company's lineup reflects a significant security flaw introduced by the manufacturer [Article 89928]. Additionally, the lack of response from Shenzhen i365 Tech to warnings about critical security issues despite being contacted by cybersecurity researchers multiple times further emphasizes the poor decisions made by the manufacturer in addressing these vulnerabilities.
Capability (Incompetence/Accidental)	development_incompetence, accidental	(a) The software failure incident in the article can be attributed to development incompetence. The Chinese-made GPS trackers from Shenzhen i365 Tech were found to have dangerous vulnerabilities, such as having the default password "123456" across nearly 30 models in the company's lineup [Article 89928]. This default password issue is a clear example of a security flaw introduced during the development process due to a lack of professional competence in ensuring proper security measures. (b) Additionally, the incident can also be categorized as accidental. The default password issue, which posed a significant security risk, was not intended but was accidentally set as the default password for all the GPS trackers shipped by the company. This accidental introduction of a major vulnerability highlights the importance of thorough testing and security checks during the development process to prevent such incidents from occurring [Article 89928].
Duration	temporary	The software failure incident described in the article is temporary. The default password "123456" for the Chinese-made GPS trackers from Shenzhen i365 Tech was a contributing factor to the vulnerability, but it was noted that the default password isn't permanent and can be changed by the user at the first time they unbox the device [Article 89928].
Behaviour	crash, omission, other	(a) crash: The software failure incident in the article can be categorized as a crash. The GPS trackers from Shenzhen i365 Tech have a major security flaw with a default password of "123456," which allows hackers to gain complete access to people's real-time location data once they figure out the password. This vulnerability can lead to a system crash where the system loses its state and fails to perform its intended function of securely tracking individuals [Article 89928]. (b) omission: The software failure incident can also be categorized as an omission. Despite the default password being changeable by the user, the fact that the devices were all shipped with the same default password of "123456" can be seen as an omission in ensuring proper security measures were in place from the beginning. This omission led to the vulnerability that hackers could exploit to access sensitive location data [Article 89928]. (c) timing: The software failure incident does not align with a timing failure as the system is not described as performing its intended functions too late or too early. The focus is on the security vulnerability related to the default password and unencrypted data transmissions rather than timing issues [Article 89928]. (d) value: The software failure incident does not align with a value failure as the system is not described as performing its intended functions incorrectly. The main issue highlighted in the article is the security flaw related to the default password and unencrypted data transmissions, which could lead to unauthorized access to sensitive location data [Article 89928]. (e) byzantine: The software failure incident does not align with a byzantine failure as the system is not described as behaving erroneously with inconsistent responses and interactions. The main concern is the security vulnerability due to the default password and unencrypted data transmissions, which could compromise the privacy and security of individuals using the GPS trackers [Article 89928]. (f) other: The other behavior of the software failure incident is the exposure of sensitive data and the potential for unauthorized access to real-time location information. This behavior is a significant security risk that could have serious consequences for individuals using the GPS trackers, as hackers could exploit the default password vulnerability to track their movements and potentially eavesdrop on conversations through the device's microphone [Article 89928].

IoT System Layer

Layer	Option	Rationale
Perception	sensor	(a) The failure was related to the perception layer of the cyber physical system that failed due to contributing factors introduced by sensor error. The Chinese-made GPS trackers from Shenzhen i365 Tech had dangerous vulnerabilities, including the use of the default password "123456" across multiple models. This default password flaw allowed hackers to gain complete access to people's real-time location data [Article 89928].
Communication	connectivity_level	The software failure incident reported in the articles is related to the communication layer of the cyber physical system that failed at the connectivity_level. The failure was due to contributing factors introduced by the network or transport layer. Avast's analysis found that all the requests from the GPS tracker's apps are unencrypted, which means anyone on the same Wi-Fi network can take control of the device. This vulnerability allows potential hackers to hijack the tracker's microphone and eavesdrop on conversations, indicating a failure at the network or transport layer [Article 89928].
Application	TRUE	The software failure incident described in the article [89928] is related to the application layer of the cyber physical system. The failure was due to dangerous vulnerabilities in Chinese-made GPS trackers, specifically the T8 Mini GPS trackers from Shenzhen i365 Tech. These vulnerabilities included the use of the default password "123456" across multiple models, unencrypted requests from the GPS tracker's apps, and unencrypted sensitive data transmission to online servers. These issues were attributed to bugs, operating system errors, and incorrect usage, which align with the definition of application layer failure in a cyber physical system.

Other Details

Category	Option	Rationale
Consequence	property, theoretical_consequence, other	(a) death: People lost their lives due to the software failure - There is no mention of any deaths resulting from the software failure incident reported in the articles [Article 89928]. (b) harm: People were physically harmed due to the software failure - The articles do not mention any physical harm caused to individuals due to the software failure incident [Article 89928]. (c) basic: People's access to food or shelter was impacted because of the software failure - The articles do not mention any impact on people's access to food or shelter due to the software failure incident [Article 89928]. (d) property: People's material goods, money, or data was impacted due to the software failure - The software failure incident resulted in a major security flaw where hackers could gain complete access to people's real-time location data once they figured out the default password of the GPS trackers. This could potentially lead to the compromise of personal data and privacy [Article 89928]. (e) delay: People had to postpone an activity due to the software failure - There is no mention of any activities being postponed due to the software failure incident in the articles [Article 89928]. (f) non-human: Non-human entities were impacted due to the software failure - The software failure incident primarily affected the security and privacy of individuals using the GPS trackers, and there is no specific mention of non-human entities being impacted [Article 89928]. (g) no_consequence: There were no real observed consequences of the software failure - The software failure incident had significant consequences related to the security and privacy of individuals using the GPS trackers, as detailed in the articles [Article 89928]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The potential consequences discussed in the articles include the risk of hackers gaining access to real-time location data, eavesdropping on conversations through the tracker's microphone, and the exposure of sensitive data due to unencrypted communication between the device and online servers [Article 89928]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The software failure incident could potentially lead to serious privacy breaches and compromise the safety of individuals using the GPS trackers, as highlighted by the security researchers [Article 89928].
Domain	information	(a) The software failure incident reported in the articles is related to the industry of information. The incident involves Chinese-made GPS trackers, which are used for tracking children, senior citizens, pets, and luggage. These devices have dangerous vulnerabilities, including a default password of "123456," making them susceptible to hacking and unauthorized access to real-time location data [Article 89928].

Sources

Over 600000 China-made GPS trackers have '123456' as default password - CNET - Published on: 2019-09-06
Article ID: 89928

Back to List