Are tracking devices a security risk?

Published Oct 20, 2022 by Xiph

GPS-enabled devices whether that’s apps on our phones, in-car navigation systems, fitness trackers, or shiny new gadgets like Apple’s AirTag were created to make our lives easier, but also pose a security risk for users. We cover everything below.

tracking devices dangerous

Do all tracking devices use GPS technology?

Most tracking devices we use in our day-to-day lives including wearable tech, electronics, vehicle navigation systems, and mapping platforms like Google Maps use some type of Global Positioning System (GSP) technology that determines location and time information in real-time, as well as direction and speed − using signals from the 30+ navigation satellites circling Earth. Geo-tagging also uses GPS to identify where and when photos are taken and stores that information in a photo. GPS devices can also connect to other devices using Bluetooth.

Is it possible to track without GPS technology?

Yes, it’s possible to access time and location data without GPS technology, using a combination of Wi-Fi, cellular, and Bluetooth signals. This is especially helpful when there is no user permission to request GPS data or when using a VPN to mask location data. Both iOS and Android phones, and many applications use signals from nearby cell phone towers and known Wi-Fi networks to roughly pinpoint your location and that of your devices, sometimes in combination with Assisted GPS (A-GPS). You can get about 95% accuracy when detecting a location that way.

Do Apple AirTags use GPS tracking?

Apple AirTags which have only recently come onto the scene, don’t use GPS tracking, but rather a combination of sensors, and Bluetooth signals that can be detected by nearby devices in the Find My network. AirTags send location data to iCloud which you can view by logging into the Find My app with your Apple ID. There are similar devices made by Samsung (SmartTag) and other companies that operate on a similar concept. These devices are commonly used to track personal items such as keys, wallets, luggage, and so on. Apple has built-in safeguards against unwanted tracking such as alerting iPhone users when an unknown AirTag is travelling with them, but some risks that can’t be negated. For example, nothing would stop a person from discreetly placing trackers on people or their belongings without their consent. It’s also possible to install tracking software on a person’s phone, but that requires access to the phone and their passcode.

Are there security risks in using tracking devices?

The main security concerns with tracking devices revolve around hacking and inadequate encryption. Tracking devices put your personal safety and data at risk. Someone with access to your GPS location information could easily work out your whereabouts or those of your devices or other assets. Although uncommon, GPS-enabled devices have security vulnerabilities that can easily be exploited. Researchers at Avast Threat Labs estimate there are about 600,000 unprotected trackers with default passwords in use globally, which essentially represents an open door for hackers.

On the encryption front, one example is the startling discovery that signals sent from commercially-available GPS trackers like the popular T8 Mini (and others like it) were broadcasted in unencrypted plaintext. People used the T8 Mini GPS tracker to keep tabs on their kids, pets, and even senior citizens.

Another more recent example that springs to mind were the high-severity security flaws found in a popular Chinese-built Micodus MV720 GPS vehicle tracker that made it possible for hackers to remotely disable cars while they’re moving, track location histories, disarm alarms, and cut off fuel. It impacted at least a million vehicles around the world.

Smartwatches and other wearables and their related apps and software also pose a security risk. A study by Symantec found there were multiple security risks in a large number of self-tracking devices, including those from leading brands, many of which were vulnerable to location tracking. Symantec also found vulnerabilities in how personal data was stored and managed, such as passwords being transmitted in clear text and poor session management.

Bluetooth-powered gadgets always pose a threat. Some hackers and malicious actors can intercept Bluetooth signals sent back to your smartphone and crack your PIN or passwords if multi-factor authentication (MFA) isn’t enabled. They could intercept and manipulate data and passwords. There are also potential privacy concerns over the hidden sharing of personal data with third parties.

Privacy concerns surrounding tracking devices have resulted in amendments to the Surveillance Devices Act 2004 which specify conditions and special cases under which tracking information can be accessed by authorities, typically under a warrant or emergency (i.e. national security, personal safety, etc.). It's completely legal to install a GPS device on a vehicle or asset you own, but it’s illegal to use GPS and any other kind of tracking on a person or their assets without consent.

How to reduce the risks of malicious tracking

The safety of tracking devices is often called into question; if you’re worried about hackers compromising your data, tracking, or GPS devices, check out these simple but effective security tips.

Put your devices in a signal-blocking case or sleeve: There’s only one way to make yourself untraceable outside of your normal activities and that’s to use signal-blocking technology. Place all your all devices (especially those that hold personal and sensitive data) in a Faraday case or sleeve (when not in use) to block all wireless signals including cellular, GPS, Wi-Fi, Bluetooth, RFID, and NFC.

Turn off GPS tracking and location services when you’re not using them: Disable location access for apps you’re not using. Make sure you turn off location services once you have completed your ride with a rideshare service like Uber, and the same goes for food delivery platforms. Always use a login that’s separate from your social media accounts where possible and check their security and privacy policies, especially around credit card and personal details storage. While you’re at it, switch off location services for the camera on your phone or tablet to prevent geo-tagging. Make a habit of deleting location history from your phone too.

Always use strong passcodes or passwords: It goes without saying − use unique and strong passwords to protect your devices and online accounts. Ideally, use a combination of lower and upper case letters, numbers, and symbols if possible. Do not use your birthdate! Make sure you have strong security settings on your devices and do not leave them on the default settings, particularly the default device name and default password.

Review all your apps that use location information: Do all your apps need location sharing enabled? Probably not. Think about which apps you really do need to allow access to your location information like your maps, rideshare apps, GPS-based games, and turn off location services for all others.

Use your navigation devices/apps carefully: Delete your location and trip history regularly and never save your home or work address to their exact location. Instead, set your home or work location to a few blocks away so that if someone was to crack your navigation devices or apps, they wouldn’t be able to find where you live. Make sure only your phone is paired with your navigation device.

A final word

Location tracking devices make our lives easier but also represent major personal security and privacy invasion risk. There are a few ways to protect your privacy and keep apps from unintended tracking or malicious hacking. For more information, contact us via email: enquiries@xiphcyber.com.


Posted in: Security