Published on May 19th, 2019 📆 | 6288 Views ⚑
0Your kid’s “smart watch” lets anyone in the world trace their location. Again. / Boing Boing
Back in 2017, the Norwegian Consumer Council published a damning report on the privacy leaks from kids' "smart watches," a parade of horrors that included allowing unauthorized third parties to trace your kid's location, and also to covertly eavesdrop through the watches' microphones and bark creepy orders at them through their speakers.
A year later, Pen Test Partners audited the security of the popular Misafe kid smart-watch and guess what? It was a fucking dumpster-fire, too. Six months later, Pen Test Partners checked kids "smart watches" like those from Gator and they were still fucking dumpster-fires. The accumulated evidence was finally enough to prompt a recall of Safe-Kid One, one of the terrible watches.
You'd think that this would be a wake-up call for the kids' "smart watch" sector. You'd be wrong.
This week, nearly two years after the first of these reports were published, Pen Test Partners has audited Tictoctrack, a kids' "smart watch" retailed in Australia, and you will: never. guess. what. they. found.
Tictoctrack is a rebadged Gator watch -- the ones that had to fix a glaring API flaw that Pen Test Partners published on in January -- but because it has its own back-end, one that keeps all kid-data onshore in Australia, it has its own grotesque security defects.
Ticktoctrack paid a Sri Lankan company called Nibaya to develop a new mobile front-end, and hosts the servers with an Australian firm called 6YS. The backend's API allows for wideranging access to all users' data with no meaningful authentication (you need a valid user/pass combo, but you can generate one of these by buying a watch and intitializing it, and thereafter you can access all of the users' accounts).
The API exposes all family data associated with the account: "including childrens' location, parents' full names, parents' phone numbers and other PII." You can also access kids' realtime location data, and erase that data so that after you've used it to kidnap someone's kids, you can erase all record of where the kid was before you snatched them.
Oh, and you can also tun the watch's mic into a covert listening device, and you can also use it as a PA that lets you say creepy things to kids in the middle of the night.
To Tictoctrack's credit, they took swift action on Pen Test Partners' report and immediately notified all their customers about the risks of using their products -- albeit while downplaying the seriousness of the vulnerabilities, claiming that they had never been exploited, even though such exploitation would be virtually impossible for the company to detect. The company has taken the service down and says they'll relaunch it after they fix these defects.
The smartwatchâs API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the userâs data â including the childrenâs location, parentâs full names, phone numbers and other personal identifiable information.
âAnyone could discover the location of children using the watch,â Stykas said. âAnyone could tamper with that position data, making you think your children were safe whilst they were actually elsewhere. Anyone could cause false alarms by moving the reported position of your child.â
Researchers with Pen Test Partners teamed up with security researcher Troy Hunt, who lives in Australia, to test the attack. With Huntâs daughter wearing the device, Pen Test Partners researchers found that they were able to successfully both track and spoof her locationâ as well as contact her via a phone call, which purported to be from âdadâ on the watch.
Tic Toc Pwned [Vangelis Stykas/Pen Test Partners]
TicTocTrack Smartwatch Flaws Can Be Abused to Track Kids [Lindsey O'Donnell/Threatpost]
In 2014, Quentin Tarantino sued Gawker for publishing a link to a leaked pre-release screener of his movie "The Hateful Eight." The ensuing court-case revealed that the screeners Tarantino's company had released had some forensic "traitor tracing" features to enable them to track down the identities of people who leaked copies.
READ THE REST
Ransomware has been around since the late 1980s, but it got a massive shot in the arm when leaked NSA cyberweapons were merged with existing strains of ransomware, with new payment mechanisms that used cryptocurrencies, leading to multiple ransomware epidemics that locked up businesses, hospitals, schools, and more (and then there are the state-level cyberattacks [âŠ]
READ THE REST
This week, we learned that the notorious Israeli cyber-arms-dealer NSO Group had figured out how hijack your Iphone or Android phone by placing a simple Whatsapp call, an attack that would work even if you don't answer the call.
READ THE REST
Looking for a career in IT, gaming or software development? In the ever-changing world of the internet, versatility is your biggest asset. In other words, mastering Java might not cut it in an interview if you donât know C#. However, thereâs a bundle that covers the essentials in most any language. The Legendary Learn to [âŠ]
READ THE REST
Getting a set of cookware that will outlast you is one of those signs youâve truly grown up. It used to be easy to find durable materials that also cook well, but these days it can be hard to tell whatâs quality and what brands are coasting by on a recognizable name. Well, thereâs at [âŠ]
READ THE REST
Whether youâre writing company memos or meticulously crafting a novel, everybody needs an editor â and weâre not just talking about a spell checker. Writing software has gotten pretty intuitive, to the point where programs like ProWritingAid can guard against more than just silly mistakes. They can actually improve your style. Designed as the first [âŠ]
READ THE REST
Gloss