Kid Tracking 'Smart' Watches, Like Most IOT Devices, Prove Not So Smart, Easy To Hack
from the internet-of-broken-things dept
We’ve long noted how the painful lack of security and privacy standards in the internet of (quite broken) things is also a problem in the world of connected toys. Like IOT vendors, toy makers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we’ve seen repeated instances where your kids’ conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.
When this problem is studied, time and time again we’re shown how most modern, internet-connected toys can be fairly easily hacked and weaponized. Granted since we haven’t even gotten more pressing security and privacy problems tackled (like the vulnerability of our critical infrastructure), problems like Barbie’s need for a better firewall tend to fall by the wayside.
Another recent case in point: A location-tracking smartwatch worn by thousands of children has proven… you guessed it… rather trivial to hack. The MiSafes Kid’s Watcher Plus is a “smart watch for kids” that embeds a 2G cellular radio and GPS technology, purportedly to let concerned helicopter parents track their kids’ location at all times. But security researchers at UK’s Pen Test Partners have issued a report calling the devices comically unsecure. As with many IOT devices, the researchers found that the devices and systems they rely on did not encrypt any of the data being transmitted:
“I proxied the iOS app through Burp and could see that the traffic was not encrypted. Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children. Profile pictures, names, gender, date of birth, height, and weight all transmitted across the internet in cleartext.”
The researchers were quick to note that the only check the system’s API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, allows an attacker to return the watch location and device_id associated with that family. Since the watch updates the GPS coordinates to the API every five minutes, it provides a hacker near real-time insight into your kid’s location. Worse, spoofing a caller ID would let said theoretical attacker covertly listen in on your kids, or contact them… while pretending to be you:
“The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used crazycall.net to spoof the Caller ID to a test watch.
Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch. As shown below, the child would think that it was their Dad that was calling. Would a child do what they were asked if a call came in like this?
Yeah, that’s not creepy at all.
Of course like so many IOT devices, MiSafes’ child-tracking smartwatches, which have been on the market in since 2015, are made by a Chinese company that had no interest responding to inquiries by security researchers. And being sold at around £9 ($11.50) per pop, there’s certainly no incentive for its makers to suddenly start dramatically improving their security and privacy standards. It’s another reason why efforts to standardize the inclusion of security and privacy problems in product reviews is something we all need to get behind, since it’s abundantly clear legislation and regulation alone can’t really address the problem.
Filed Under: hacking, internet of things, iot, security, smart watch
Comments on “Kid Tracking 'Smart' Watches, Like Most IOT Devices, Prove Not So Smart, Easy To Hack”
Formatting Error!!!!
I beg you, learn to headline
A hyphen between “kid” and “tracking” is all that it would take to make this headline perfectly understandable at a glance.
Instead, you have to get to “prove” before you realize it’s not about a kid who is tracking watches.
Re: I beg you, learn to headline
Regardless of whether we’re talking about headlines, isn’t that hyphen required by English grammar anyway?
Re: Re: I beg you, learn to headline
Shh, Be quiet. Be vewy quiet. I am twacking a smaaaaaawt watch.
So a relatively cheap gps tracker + listening device that could be deployed anywhere.
What is the battery life?
How easy is it to disable the speaker to avoid inadvertently alerting anyone to it’s presence?
Re: Re:
From the report: The call was automatically answered, the watch briefly displayed a “Busy” message, then the screen went blank. The watch did not ring, so no one would know who was listening in or from where.
Reminds me of how pentesters have called elevator emergency phones to spy on "private" conversations. (Many will silently auto-answer.)
Dafuq is with that phone icon? Did they copy that from win 95 or hyperterminal? Do children recognize that as “phone”?
Also the twitterish bird and hot air balloon. It seems the sort of thinking that went into security here also pervades the rest of the product. It all but screams “don’t buy me!”
Precedents they set
I am deeply disturbed about how many parents seem to be determined to act like they are characters in a YA Dystopia Novel and the normalization of the utterly fucked up.
IOT
Good post, I agree security is definitely something to work on.