A year after a groundbreaking report into poor security in children’s smart watches, many devices have still been leaking sensitive personal information about vulnerable young users, warned security consulting company Pen Test partners.
In early 2018, the Norwegian Consumer Council published a report on the security of wearable devices aimed at children. It found a variety of flaws across a whole range of models. These included Gator 2, a brand sold in both Norway and the UK, from Chinese manufacturer Caref.
Gator vulnerabilities at the time included the ability to harvest personal information on users from the web site just by entering the watch’s unique identifier (printed on the back of the unit).
Pen Test Partners waited a year to see how things had improved. “Guess what: a train wreck,” it concluded in a post on its website. “Anyone could access the entire database, including real time child location, name, parents details etc.”
The cause of the flaw was a vulnerability in the interface to Gator’s back-end app. The app passed the user’s security level as a parameter in the URL. Setting it to zero automatically gave a client administrative access, Pen Test Partners explained.
This flaw exposed sensitive data on 35,000 children, the security consultancy said. These GPS watches often include data about a child’s location alongside other information such as geofence data that could indicate where they live or go to school.
UK distributor TechSixtyFour asked Caref to fix the problem, and the manufacturer responded by putting a 502 (bad gateway) error on the Pen Test Partners account. Only after persisting did the consulting firm get Caref to fix the problem properly by removing the offending URL parameter.
Fixing that flaw hopefully made a whole bunch of kids safer in one fell swoop, because the same back-end system covered multiple watch brands, warned Pen Test Partners.
That’s great, but what about all the other smartwatch vendors? “The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security,” Pen Test Partners continued. “Our advice is to avoid watches with this sort of functionality like the plague. They don’t decrease your risk, they actively increase it.”
The topic of Cyber Physical/IoT will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Cyber Physical/IoT here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.
