Why ‘PWNED!’ is appearing on some GPS smartwatches

Google Maps

We’re sort of accustomed to Google Maps shenanigans, but usually they’re funny, and/or cat-obsessed.

Like, say, the New Zealand map-cat behemoth that was for a time stretching off one side of Auckland’s Hobson Bay Walkway over to where its head was nearly touching the northwestern section of the trail: a full 250 meters of “ha-HA, Google, take THAT with your user-editable maps!”

But there’s lately been some map mischief with a far more serious intent: a German researcher who tried for over a year to get a smartwatch vendor to respond to vulnerability reports has tried to get the vendor’s attention by cyber-vandalizing the tracking maps of hundreds of GPS watches by printing the word “PWNED!” on them.

The researcher, Christopher Bleckmann-Dreher, has been trying to draw attention to over 20 models of GPS-tracking watches, some of which are used by children and the elderly, that he says are vulnerable to attackers.

They’re manufactured by the Austrian company Vidimensio. As Dreher outlines in his “Watchgate” slide deck (PDF), the watches have vulnerabilities that include communications with a backend API that allow eavesdropping and tracking of users, as well as allowing for data stored on the API server to be altered and for strangers to issue commands to users’ watches.

This is the timeline for what the security researcher says is the vendor’s failed fixes:

October 2017: A string of issues with kids’ smartwatches kicked off with the Norwegian Consumer Council’s (NCC’s) report that looked at four models and found that they were giving parents a false sense of security. Some features, such as the SOS panic button and the geofencing alerts to keep track of kids’ whereabouts, didn’t work reliably.

Most worrying of all, the NCC found that through simple steps, strangers could take control of the smartwatches. Given the lack of security in the devices, eavesdroppers could listen in on a child, talk to them behind their parent’s back, use the watch’s camera to take pictures, track the child’s movements, or give the impression that the child is somewhere other than where they really are.

17 November 2017: Germany’s telecom regulator, the Federal Network Agency (BNetzA), called kids’ smartwatches illegal spying devices and banned them.

On the 22nd, a stern TV review of the smartwatches aired. The findings at the time: you couldn’t stop the wiretapping except with a hammer, Dreher said.

23 November 2017: The next day, Dreher went to Amazon to pick up a Paladin smartwatch. No wiretap, he saw on the product listing. Huh, he thought, looking at the timeline to date.

After a decade in hardware security, he knew that there was no way a fix could have been done so fast. He started researching the smartwatches and found that the models all shared a common backend API that works as an intermediary and storage point between the GPS watches and the associated mobile apps.

He discovered flaws in how the GPS watches communicate with the backend API server. As a matter of fact, as he noted in his recent Troopers presentation, the flaws he initially found in Vidimensio’s Paladin smartwatch also affected over 20 other models from the same vendor.

December 2017: Dreher first reports his findings to Vidimensio. The researcher said that the company failed to take action. In spite of the ban, the watches kept selling like hotcakes in Austria and Germany, so Dreher worked with German IT news publication Heise.de to report the security flaws to the manufacturer.

April 2018: Under public pressure, Vidimensio issued fixes. All good? Not so much, given that, according to Dreher, the patches only addressed the eavesdropping threat, but not the other security flaws, including the ability to alter data on the API server and send commands to users’ watches.

Flaws come in handy to send ‘PWNED!’ message

Dreher told ZDNet that he’s been using one of the security flaws to insert fake GPS coordinates into people’s location history. Just like the map-cat hacker, he input fake GPS coordinates to look like the word “PWNED!” when displayed on the location history section map, which is shown inside the mobile app and the watch web dashboard.

He doesn’t feel bad about it. After all, those watches were supposed to have been melted into goo or however you destroy a wiretapping smartwatch, in accordance with the BNetzA’s ban:

I inserted fake GPS coordinates in watches (about 300) that have not been online since early 2018. I assume these watches have been destroyed by their owners as the BNetzA stated in their ban notice.

The exploit relies on changing a simple parameter, and entering another user’s ID. User IDs are sequential: they start at 0 and go up to the number assigned to the latest registered user (which was around 7,000 as of Tuesday, when ZDNet published its writeup).

Dreher tried to get BnetzA to force Vidimensio into fixing the security flaws, but it declined.

Dreher’s presentation featured this list of GPS watch models that he says still suffer from the security flaws.

So much for Germany’s ban on eavesdropping kids’ smartwatches. ZDNet reports that they’re still being sold, people still love them, and authorities aren’t enforcing the ban.

On the plus side, as ZDNet’s Catalin Cimpanu notes, EU authorities in February issued the first-ever product recall over data security issues.

The product? A smartwatch for kids.


Is it ever OK for hackers to make unauthorised changes out of frustration? We discussed this very issue in December 2018 when a “helpful” researcher took over thousands of printers to prove a point. [The hacking section starts at 18’19”.]

(Audio player above not working? Download MP3, listen on Soundcloud or access via iTunes.)