Flawed GPS Tracker Lets Strangers Spy on Kids, Elderly

UPDATED with comment from Pebbell 2 distributor HoIP Telecom.

A widely sold two-way cellular intercom, panic button and GPS tracking device tells loved ones where an elderly person or a child can be found — and it can tell everyone else, too.

Many versions of the affected device look like this, but the color and button printing vary. Credit: Amazon

(Image credit: Many versions of the affected device look like this, but the color and button printing vary. Credit: Amazon)

Researchers at Fidus Information Security in Cambridge, England, found that the device, made as a "white label" gadget in China and then rebranded and sold under least nine different names in the U.S. and the U.K., can be tampered with remotely if you simply send it SMS text-message commands.

One texted command makes the device cough up its GPS location. Another turns on the microphone to eavesdrop on the wearer and his or her surroundings. A third SMS message shuts off the cellular modem, killing the gadget's intended functions. A fourth erases any security PIN (not required) that the user has set on the device.

"Now these devices are out in the wild, I expect there is no way to apply ... updates," a Fidus researcher, identified by TechCrunch as Andrew Mabbit, wrote in a Fidus company blog posting. "Any local authorities that are supplying these devices, or employers who are using them to keep their workforce safe, should be aware of the privacy and security problems and should probably switch to another device with security built from the ground up."

MORE: Best GPS Kid Trackers

The attacker would need to know the device's phone number, but Fidus researchers used one device issued as part of a fleet by a local government agency in the U.K. They sent out 2,500 text-message commands to phone numbers in the same number range as that device's number. They got responses from 175 GPS trackers.

"We assumed we would get a few devices to respond off the bat," wrote Mabbit. "We had hoped that most people had set the PIN feature so that they wouldn’t respond to our number. Unfortunately, we were wrong."

The PIN feature, if it's set by the user (who has to read the instructions to even know about the PIN option) will thwart most of these texted commands — except the RESET or REBOOT commands. And the RESET command will erase the PIN. It's not quite fair to call these SMS-based attacks "hacks" when they're actually built-in functions.

The teardrop-shaped device uses a 2G cellular signal with a SIM card, but has no internet connectivity. Its battery will last for months, and it recharges when you drop it into a handy docking station. It can be worn as a pendant on a lanyard, and there's a big panic button, often stamped "SOS," right in the middle of the device.

Fidus said about 10,000 units of the device have been sold in the United Kingdom under various names: the Pebbell 2; the Unforgettable Personal Alarm & GPS Tracker with Fall Alert; the OwnFone Footprint; the Tracker Expert GPS Tracker Fail Alarm; the SureSafeGO 24/7 Connect 'Anywhere' Alarm; the Ti-Voice TrackIt 24/7; and "many, many more."

We had a look on the U.S. Amazon site and found identical-looking gadgets sold for between $62 and $329 as the Sonew Real Time Tracking Fall Down Safety GPS Intercom Tracker; the Guardian Locate Personal and Vehicle GPS 3G Tracker; and the Dioche Real Time Tracking Fall Down Safety GPS Intercom Tracker.

In addition, the SureSafe company, which Fidus said sells the gadget in the U.K., appears to be based in New Jersey, but its "Anywhere" Alarm version of the device seems to be out of stock.

Unfortunately, if you or your loved ones already use one of these devices, it won't be easy to fix.

"All they needed to do was print a unique code on each pendant and require that to be used to change configurations," Mabbit wrote. But, he added, "it is easy to fix new devices, but not so much a device already in the wild."

UPDATE: HoIP Telecom, which distributes the Pebbell 2, reached out to Tom's Guide to explain that its devices are not vulnerable to this flaw, as messages sent to the devices are managed at the servers rather than on the devices. Fidus Information Security has updated its own report to reflect that.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.