Despite ongoing warnings about connected watches and toys endangering kids’ privacy and potentially their physical safety, makers of these Internet of Things gadgets continue to turn out products that do just that. The latest concern is a gamut of kids’ GPS-tracking watches, which were found to be exposing sensitive data involving 35,000 children — including their location, in real time.
Ironically, these are marketed as giving parents more peace of mind when it comes to keeping their children safe, because they allow mom and dad to keep tabs on their kids’ locations.
Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research.
“A year on, we decided to have a look at the Gator watch again to see how their security had improved,” said Vangelis Stykas, in a Tuesday posting. “Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents’ details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches.”
The Vulnerability
At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control. An attacker with access to the watch’s credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information.
More specifically, the Gator works with a web login panel. Using a simple web proxy, the Pen Test Partners team was able to review requests being sent to the website – which included a “User[Grade]” parameter. Stykas simply guessed that this designates the level of privilege for the user and decided to play around with it.
“I changed the value to two and nothing happened, BUT change it to zero and you get platform admin,” he said.
He explained, “[Attackers] could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch…We found we could also list and modify all users and all device data.”
Gator has fixed the issue, but other watches that use the same backend may still be affected.
The backend service where the flaw resides is provided by a Chinese vendor called Caref Watch Co, according to Pen Test Partners.
Once the flaw was uncovered, the firm disclosed it to TechSixtyFour, which is Caref’s U.K. distributor. Pen Test Partners also said that it would go public a month later – the shorter-than-average time frame being in consideration for the risk to child safety. After one fix that did not remove the offending user-privilege parameter, Caref managed to resolve the issue just five days after being notified of the flaw, and TechSixtyFour has implemented the patch.
Kids’ Safety Continues to Be at Risk
Caref/TechSixtyFour is hardly the only member of the tracker-watch ecosystem to churn out disconcertingly insecure products for children.
In November, The Misafes “Kids Watcher” GPS watch was found to have vulnerabilities that translate into a stalker or pedophile’s ideal toolset.
The watch offers functions for parents like two-way calling via a SIM and cellular connection, as well as an accompanying app for parents to track their child’s location. Researchers at Pen Test Partners found flaws that could allow remote hackers to retrieve real-time GPS coordinates of the kids’ watches. Attackers could also call kids on their watches, eavesdrop on their conversations and intercept personal information about them, such as name, age and gender.
“The GPS watch market is growing significantly. Not only are children’s watches incorporating the services, but some running watches are employing the technology,” Stykas said. He added, “On a wider scale, the GPS watch market needs to ensure that their products are adequately tested. The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security. Our advice is to avoid watches with this sort of functionality like the plague. They don’t decrease your risk, they actively increase it.”
Interested in learning more about privacy and data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.