The flaws were detailed by two security researchers, Vangelis Stykas and Michael Gruhn, in a report titled Trackmageddon. Devices affected include car, pet, and children trackers.
The researchers said that hackers could use the flaws to extract details such as a user's location, device model and type name, serial numbers (such as IMEI), an assigned phone number, and custom assigned name.
"We tried to give the vendors enough time to fix (also respond for that matter) while we weighted this against the current immediate risk of the users," said the researchers.
They concluded that the historic location information of users does not pose a direct imminent critical risk to a user.
"We could not establish communication with any of the “still vulnerable” online services and hence do not have any information on possible planned fixes. Hence, we assume there will be no fixes," they said.
"This default password will not adequately protect you, even if your device is managed by an online service that is not vulnerable. For gpsui.net you cannot change the password. The password seems to be hardcoded into the tracking device. However, the password seems to be six random digits, which provides slightly better protection than 123456," they said.
"As long as the online service managing your device is still vulnerable changing your password will not matter and there is unfortunately not much you can currently do to protect yourself besides stopping to use the device," they added.
Mark James, security specialist at ESET, told SC Media UK that data such as e GPS locations, along with times, could enable an attacker to tailor an attack, both digital or indeed physical, with optimum effectiveness. "With this type of information, it shows a very clear footprint of your every move- something that, if exploited, could be the difference between a failed or successful attack," he said.
“An attacker with access to the data could use this information to determine your whereabouts and tailor a specific attack either with you, or without you present, depending on the attack vector.”