Attackers Can Track Childrens’ Locations via Connected Watches

Attackers Can Track Childrens’ Locations via Connected Watches

Despite ongoing warnings about connected watches and toys endangering kids’ privacy and potentially their physical safety, makers of these Internet of Things gadgets continue to turn out products that do just that.

The latest concern is a gamut of kids’ GPS-tracking watches, which were found to be exposing sensitive data involving 35,000 children — including their location, in real time.

Ironically, these are marketed as giving parents more peace of mind when it comes to keeping their children safe, because they allow mom and dad to keep tabs on their kids’ locations.

Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research.

“A year on, we decided to have a look at the Gator watch again to see how their security had improved,” said Vangelis Stykas, in a Tuesday posting. “Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents’ details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches.”

The Vulnerability

At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control. An attacker with access to the watch’s credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information.

gator tracking watch

More specifically, the Gator works with a web login panel. Using a simple web proxy, the Pen Test Partners team was able to review requests being sent to the website – which included a “User[Grade]” parameter. Stykas simply guessed that this designates the level of privilege for the user and decided to play around with it.

“I changed the value to two and nothing happened, BUT change it to zero and you get platform admin,” he said.

He explained, “[Attackers] could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch…We found we could also list and modify all users and all device data.”

Gator has fixed the issue, but other watches that use the same backend may still be affected.

The backend service where the flaw resides is provided by a Chinese vendor called Caref Watch Co, according to Pen Test Partners.

Once the flaw was uncovered, the firm disclosed it to TechSixtyFour, which is Caref’s U.K. distributor. Pen Test Partners also said that it would go public a month later – the shorter-than-average time frame being in consideration for the risk to child safety. After one fix that did not remove the offending user-privilege parameter, Caref managed to resolve the issue just five days after being notified of the flaw, and TechSixtyFour has implemented the patch.

Kids’ Safety Continues to Be at Risk

Caref/TechSixtyFour is hardly the only member of the tracker-watch ecosystem to churn out disconcertingly insecure products for children.

In November, The Misafes “Kids Watcher” GPS watch was found to have vulnerabilities that translate into a stalker or pedophile’s ideal toolset.

The watch offers functions for parents like two-way calling via a SIM and cellular connection, as well as an accompanying app for parents to track their child’s location. Researchers at Pen Test Partners found flaws that could allow remote hackers to retrieve real-time GPS coordinates of the kids’ watches. Attackers could also call kids on their watches, eavesdrop on their conversations and intercept personal information about them, such as name, age and gender.

“The GPS watch market is growing significantly. Not only are children’s watches incorporating the services, but some running watches are employing the technology,” Stykas said. He added, “On a wider scale, the GPS watch market needs to ensure that their products are adequately tested. The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security. Our advice is to avoid watches with this sort of functionality like the plague. They don’t decrease your risk, they actively increase it.”

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

back to top

Top Cyber News

Cryptominers Still Top Threat but Coinhive's Shutdown Could Change That

Cryptominers Still Top Threat but Coinhive's Shutdown Could Change That

12 March, 2019

Coinhive has remained on top of Check Point Software's global threat index for the last 15 months. ...

Cracking Down on Botnets

Cracking Down on Botnets

15 April, 2019

Although there is no silver bullet solution for mitigating the risk of botnets, there are a number of helpful best pract...

Fibre reacts autonomously for the first time to changing net conditions

Fibre reacts autonomously for the first time to changing net conditions

06 March, 2019

The live field trial showcased fibre optic transmission systems autonomously adapting to changing network conditions in ...

Apple Speaks About Recycling iPhones Via Robot

Apple Speaks About Recycling iPhones Via Robot

19 April, 2019

Apple has spoken about its effort to become even more environmentally friendly, by offering an insight into its normally...

Telia tracks network data for smarter cities in northern Europe

Telia tracks network data for smarter cities in northern Europe

28 March, 2019

It uses aggregated, anonymised phone data to monitor crowd patterns.

Cyber Threats can target 20% of home PCs running worldwide: Says report

Cyber Threats can target 20% of home PCs running worldwide: Says report

12 March, 2019

According to the intelligence gathered from Avast Threat Detection Database, one in five home PCs running worldwide ar...


External Links

About Us

Follow Us