A year after Norwegian researchers found that child-tracking, GPS-connected smartwatches had major security flaws – flaws that would have let strangers eavesdrop on a child, talk to them behind their parent’s back, use the watch’s camera to take their picture, stalk them, or lie about their whereabouts – not much has changed.
When Pen Test Partners decided to check up on how one of the four models the Norwegian researchers looked at had shaped up over the course of 14 months, things turned out to be status quo: the security of TechSixtyFour’s Gator watch and thousands of other watches was still a train wreck.
Pen Test Partners’ TL;DR:
Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches
Following the Norwegian Consumer Council’s (NCC’s) 2017 report about these Internet-of-Things (IoT) wrist wraps, bad press broke out like so much prepubescent acne. At least one UK retailer, John Lewis, responded by yanking the Gator 2.
In November 2018, TechSixtyFour founder Colleen Wong said on the company’s blog that it had responded to the NCC’s report with a complete, one-month-long system overhaul. It also hired a vulnerability assessment firm to review its systems on an ongoing, monthly basis.
But last week, Pen Test Partners’ Vangelis Stykas said that when his firm checked in on the Gator, it was still a snap to hijack the kids’ watches. He explained that Pen Test Partners found that they could change user level to “super admin access” via the web portal for the Gator 3 – it was simple, given that the system didn’t bother to check whether or not the user should get that kind of privileged access:
The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control!
It meant that an attacker could get “full access to all account information and all watch information,” Stykas said. The fact that parents were able to specify their access level via a user-controlled parameter that they could boost to admin level means that child predators or other malicious attackers could have snooped on as many as 20,000 customer accounts and 35,000 affected devices. Malicious actors could have obtained user contact details, and they could have identified and tracked the locations of those users’ children.
They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch.
On the plus side, Gator snapped fast
TechSixtyFour is apparently the UK distributor for the Gator watches, which rely on back-end service from a Chinese company called Caref Watch Co Ltd.
To its credit, TechSixtyFour made it fairly straightforward to fix the vulnerability, given that, unlike some vendors, it publishes a contact and a policy for vulnerability disclosure. It was also pretty speedy with getting the flaw patched: after Pen Test Partners disclosed the vulnerability on 11 January, TechSixtyFour (eventually) closed the vulnerability within 48 hours. …
… but only after its first “fix,” which consisted of blocking the researchers’ accounts with HTTP 502 errors. This first, ineffective fix also involved removing the form element from the web element that allowed the researchers to change to super admin access … while leaving the problem-causing parameter untouched.
The following day, Caref apologized for the non-fix and removed the offending form and parameter. It was all patched up for real as of 16 January.
Fortunately, nobody maliciously exploited the bug, as TechSixtyFour told the Register on Friday:
We appreciate Ken Munro of Pen Test Partners disclosing this vulnerability to us, and our team have taken this seriously as our fix was completed within 48 hours. An internal investigation of the logs did not show that anybody had exploited this flaw for malicious purposes.
[TechSixtyFour’s engineers] implemented a partial fix within 12 hours. They then identified the root cause and deployed a full fix within 48 hours of the notification.
Then there’s the ‘why hasn’t anything changed?’ side…
The problem with these kids’ watches is they should be getting far more thorough security testing before they hit the market, Stykas said. An automated vulnerability assessment service doesn’t cut it, he said:
They’re just not thorough or capable enough to really dig deep, particularly in to an API.
Unfortunately, given the thin margin for these gadgets, that’s unlikely to change.
The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security.
Bottom line: steer clear of these things, Stykas said.
Our advice is to avoid watches with this sort of functionality like the plague. They don’t decrease your risk, they actively increase it.