UPDATE
A popular smartwatch that allows parents to track their children’s whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children.
Researchers at Pen Test Partners revealed vulnerabilities in the watch (sold in Australia) on Monday, which could enable hackers to track children’s location, spoof the child’s location or view personal data on the victims’ accounts. The parent company of the TicTocTrack watch, iStaySafe Pty Ltd., has temporarily restricted access to the watch’s service and app while it investigates further.
Researchers found that the service’s back end does not make any authorization attempt on any request – besides the user having a valid username and password combination.
That means that an attacker who is logged into the service could remotely compromise the app and track other accounts that are based in Australia.
“All in all we can see that the developer of the back end took no consideration into authorizing any of the requests, and cared only that the application was working effectively, leaving all the data available to access and manipulate,” Pen Test Partners researcher Vangelis Stykas said in a analysis. “This is unacceptable for a product that is supposed to keep children secure and a trend that we constantly see in the IoT market that products are rushed to the market.”
The TicTocTrack smartwatch is made by Gator Group (which has had watch privacy issues before). The smartwatch also comes with a complementary mobile app, developed by a company called Nibaya, that is available on Google Play and the Apple App Store.
“To this day, there has never been a security breach that has lead to our customer’s personal data being used for malicious purposes,” said iStaySafe in a statement sent to Threatpost. “Our team are constantly working to improve our software and make it as safe as possible for our users. As soon as a full technical assessment has taken place, conducted by a trusted, reputable and accredited penetration testing service, we will be releasing a transparent report which will detail what security issues were apparent, what steps we are taking and when.”
The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features.
The smartwatch’s API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user’s data – including the children’s location, parent’s full names, phone numbers and other personal identifiable information.
“Anyone could discover the location of children using the watch,” Stykas said. “Anyone could tamper with that position data, making you think your children were safe whilst they were actually elsewhere. Anyone could cause false alarms by moving the reported position of your child.”
Researchers with Pen Test Partners teamed up with security researcher Troy Hunt, who lives in Australia, to test the attack. With Hunt’s daughter wearing the device, Pen Test Partners researchers found that they were able to successfully both track and spoof her location– as well as contact her via a phone call, which purported to be from “dad” on the watch.
In this video below, Hunt shows how the smartwatch vulnerability could be exploited to call his daughter – and how her smartwatch would answer automatically without any interaction needed from her end:
The company said in its notice to customers that they will restrict all use access to the TicTocTrack application and service until they can confirm the validity of the flaws and fix them.
Smartwatches continue to be a cause for security concern – particularly ones targeted at tracking children. In January, researchers found an array of security issues in the Gator portfolio of watches from TechSixtyFour, and found flaws exposing sensitive data of 35,000 children. In February, the European Commission issued a recall for the Safe-KID-One, an IoT watch made by German company Enox Group, due to “serious” privacy issues. And, in November, The Misafes “Kids Watcher” GPS watch was found to have vulnerabilities that translate into a stalker or pedophile’s ideal toolset.
This article was updated on April 16 at 8:41 a.m. with a statement from iStaySafe.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.