Parents could be unwittingly putting their children's safety and privacy at risk, thanks to security vulnerabilities in potentially millions of kids' GPS-tracker watches.
These cheapo watches are supposed to be worn by the youngsters, and use SIM cards to connect to cellular networks. The idea is they beam to backend servers the GPS-located coordinates of the wearer so their parents can, via a website or app, find out where the tykes are at all times.
The devices also display any messages and take calls from guardians, can listen in on a child's activities using a microphone, and warn if the kid has strayed out of a particular area, such as the playground.
However, an investigation by British security shop Pen Test Partners has shown that the software used by a smartphone app that communicates with the watches is so poorly coded that the connections are easy to hijack. This means miscreants can snoop on kids as if they were their parents.
The probe began when a friend of one of the infosec bods bought a MiSafes Kid's Watcher for his offspring, a snap at just £10 for the unit. But after playing around with it, they found shocking levels of insecurity. It appears that the same weak code has been reused in a lot of other GPS watches, too.
"We believe that in excess of a million smart kids tracking watches with similar vulnerabilities are being used, possibly in excess of 3 million globally," said researcher Alan Monie on Tuesday. "These are sold under numerous brands, but all appear to use remarkably similar APIs, suggesting a common original device manufacturer or ODM."
No encryption - what is this, the 1990s?
The key problem is that the app and the GPS watch do not encrypt their communications, and transmit virtually all data in plain text for anyone to snoop on or meddle with. This includes profile pictures, names, gender, dates of birth, height, weight, and so on, of the child. The watches talk to backend servers, and those servers pass on the info to apps used by the parents.
By simply intercepting and changing the user ID number in the phone app's request to the backend servers for information on a child, you can gain full access to data on that particular youngster. In other words, you can make an API request using any ID number and you'll get the photograph, whereabouts, and other details for the child of that ID. You can set the ID to anything you like, and produce a shopping catalog of potential victims for savvy predators.
Thus, a miscreant or pervert could, for example, just buy one of these things, tamper with the backend connection using Burp Suite or a similar tool on the network, and abuse the vulnerability to request the whereabouts of strangers' kids, who may be playing on their own. Scumbags could also send messages to kids to trick them into accepting a ride from a stranger, who happens to know exactly where they are.
Seeing as watch communicates every five minutes, you can also track the location of a child in near-real-time.
After Monie wrote a simple C# program to automate this process, he would have been able to access the accounts of over 12,000 MiSafe watches, and also download a photo of each child, plus their name and other aforementioned personal details, as well as the phone number of the parents and of the watch itself.
Smart toys spring dumb vulns. Again. This time: Cuddly bears, watchesREAD MORE
To stop just anyone calling the child's watch, the device has a white-list of approved phone numbers. But the caller ID is easy to spoof, so someone could make a call or message that appeared to come from a parent or trusted party.
It's also child's play to hijack the watch's remote listening facility, turning it into a bugging device. The only indication that something is amiss is a busy sign on the watch face.
"These new attack vectors can not only be performed remotely (including capturing the IMEI remotely), but allow an attacker to build up a global picture of the location of all the children," said Monie. "Combined with caller ID spoofing, this attack becomes really nasty."
Attempts to contact the manufacturer have failed – by Pen Test Partners and ourselves – so it's unlikely that the devices will ever be patched. We advise parents to make the devices safe themselves, by deleting the app and disassembling the watches with a large hammer or brick. ®