Year after being blasted for dodgy security, GPS kid tracker biz takes heat again for leaving families' private info lying around for crims

If you're going to lo-jack your offspring, at least be secure

A manufacturer of child-tracking smartwatches was under fire this week following the discovery of a second major security lapse in its technology in as many years.

Back in late 2017, Gator-branded wearables were among various kid-monitoring gizmos raked over the coals by Norwegian researchers who found the devices were trivial to remotely hijack. These gadgets are essentially cellular-connected smartwatches youngsters wear so that parents can watch over their offspring from afar, tracking their whereabouts, listening in on built-in microphones, and contacting them.

Fast forward roughly a year, and Brit infosec outfit Pen Test Partners decided to take a look at the security of these gadgets to see if defenses had been shored up. The team found that the web portal used by families to monitor their tykes' Gator watches had a pretty bad exploitable bug.

Logged-in parents could specify in a user-controlled parameter their access level, allowing them to upgrade their accounts to administrator level. That could be exploited by stalkers, crims and other miscreants to snoop on as many 30,000 customers, obtain their contact details, and identify and track the location of children.

"This means that an attacker could get full access to all account information and all watch information," explained Pen Test Partners' Vangelis Stykas earlier this week.

"They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch."

He explained: "The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control."


Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for perverts


The attacker would also be able to change the email and passwords on a given watch to lock victims out of devices. The researcher noted that other child-monitoring watch brands likely share the same web backend as Gator, meaning other gizmos would also be prone to the same attack.

While TechSixtyFour – which owns the Gator brand and built the vulnerable web portal – patched the flaw a few days after Pen Test Partners reported the programming cock-up in January, Stykas was critical of the biz and what he described as a "train wreck" situation.

Pen Test Partners alerted UK-based TechSixtyFour on January 11, and gave them a month to fix it due to the wide-open nature of the hole. TechSixtyFour asked for two months, but the request was denied. At first, the manufacturer tried to address the vulnerability and wound up blocking the researchers' accounts with HTTP 502 errors, according to Stykas. In the end, it was patched by January 16.

TechSixtyFour founder Colleen Wong defended her company's handling of security issues, noting that the gizmo maker maintains a full vulnerability disclosure policy, and since 2017 has undergone yearly penetration tests.

"We appreciate Ken Munro of Pen Test Partners disclosing this vulnerability to us, and our team have taken this seriously as our fix was completed within 48 hours. An internal investigation of the logs did not show that anybody had exploited this flaw for malicious purposes," Wong said in a statement to The Register on Friday.

She added that TechSixtyFour's engineers "implemented a partial fix within 12 hours. They then identified the root cause and deployed a full fix within 48 hours of the notification."

TechSixtyFour is not alone in catching heat for its shoddy GPS watch security. In November of last year, Pen Test Partners discovered multiple vendors were using insecure transmission methods, and Stykas doesn't expect any of the smartwatch makers to improve any time soon.

"On a wider scale the GPS watch market needs to ensure that their products are adequately tested. The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security," Stykas said.

"Our advice is to avoid watches with this sort of functionality like the plague. They don’t decrease your risk, they actively increase it." ®

Other stories you might like

  • Tesla driver charged with vehicular manslaughter after deadly Autopilot crash

    Prosecution seems to be first of its kind in America

    A Tesla driver has seemingly become the first person in the US to be charged with vehicular manslaughter for a deadly crash in which the vehicle's Autopilot mode was engaged.

    According to the cops, the driver exited a highway in his Tesla Model S, ran a red light, and smashed into a Honda Civic at an intersection in Gardena, Los Angeles County, in late 2019. A man and woman in the second car were killed. The Tesla driver and a passenger survived and were taken to hospital.

    Prosecutors in California charged Kevin George Aziz Riad, 27, in October last year though details of the case are only just emerging, according to AP on Tuesday. Riad, a limousine service driver, is facing two counts of vehicular manslaughter, and is free on bail after pleading not guilty.

    Continue reading
  • AMD returns to smartphone graphics with new Samsung chip for your pocket computer

    We're back in black

    AMD's GPU technology is returning to mobile handsets with Samsung's Exynos 2200 system-on-chip, which was announced on Tuesday.

    The Exynos 2200 processor, fabricated using a 4nm process, has Armv9 CPU cores and the oddly named Xclipse GPU, which is an adaptation of AMD's RDNA 2 mainstream GPU architecture.

    AMD was in the handheld GPU market until 2009, when it sold the Imageon GPU and handheld business for $65m to Qualcomm, which turned the tech into the Adreno GPU for its Snapdragon family. AMD's Imageon processors were used in devices from Motorola, Panasonic, Palm and others making Windows Mobile handsets.

    Continue reading
  • Big shock: Guy who fled political violence and became rich in tech now struggles to care about political violence

    'I recognize that I come across as lacking empathy,' billionaire VC admits

    Billionaire tech investor and ex-Facebook senior executive Chamath Palihapitiya was publicly blasted after he said nobody really cares about the reported human rights abuse of Uyghur Muslims in China.

    The blunt comments were made during the latest episode of All-In, a podcast in which Palihapitiya chats to investors and entrepreneurs Jason Calacanis, David Sacks, and David Friedberg about technology.

    The group were debating the Biden administration’s response to what's said to be China's crackdown of Uyghur Muslims when Palihapitiya interrupted and said: “Nobody cares about what’s happening to the Uyghurs, okay? ... I’m telling you a very hard ugly truth, okay? Of all the things that I care about … yes, it is below my line.”

    Continue reading

Biting the hand that feeds IT © 1998–2022