Although none of the devices have internet connectivity and won’t be found on exposed device database sites like Shodan, they can still be remotely accessed and controlled by SMS. Worse, the researchers found the device can be remotely reset without needing a PIN — opening up the device to further commands. His team showed it was easy to extrapolate hundreds of working phone numbers connected to vulnerable devices based off a single known device. One text message to a vulnerable device, bought by the security researchers, allowed us to remotely grab its real-time coordinates. The team told several of the device makers of the flaws, but Mabbitt said there’s no way to fix the vulnerabilities without recalling every device. The location and call functions could be locked down to calls and texts only from those numbers previously programmed in as emergency contacts.” The U.K. just last week announced a proposed new cybersecurity law that would require connected devices to be sold with a unique password, and not a default.