A manufacturer of child-tracking smartwatches was under fire this week following the discovery of a second major security lapse in its technology in as many years.
Back in late 2017, Gator-branded wearables were among various kid-monitoring gizmos raked over the coals by Norwegian researchers who found the devices were trivial to remotely hijack. These gadgets are essentially cellular-connected smartwatches youngsters wear so that parents can watch over their offspring from afar, tracking their whereabouts, listening in on built-in microphones, and contacting them.
Fast forward roughly a year, and Brit infosec outfit Pen Test Partners decided to take a look at the security of these gadgets to see if defenses had been shored up. The team found that the web portal used by families to monitor their tykes' Gator watches had a pretty bad exploitable bug.
Logged-in parents could specify in a user-controlled parameter their access level, allowing them to upgrade their accounts to administrator level. That could be exploited by stalkers, crims and other miscreants to snoop on as many 30,000 customers, obtain their contact details, and identify and track the location of children.
"This means that an attacker could get full access to all account information and all watch information," explained Pen Test Partners' Vangelis Stykas earlier this week.
"They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch."
He explained: "The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control."
Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for pervertsREAD MORE
The attacker would also be able to change the email and passwords on a given watch to lock victims out of devices. The researcher noted that other child-monitoring watch brands likely share the same web backend as Gator, meaning other gizmos would also be prone to the same attack.
While TechSixtyFour – which owns the Gator brand and built the vulnerable web portal – patched the flaw a few days after Pen Test Partners reported the programming cock-up in January, Stykas was critical of the biz and what he described as a "train wreck" situation.
Pen Test Partners alerted UK-based TechSixtyFour on January 11, and gave them a month to fix it due to the wide-open nature of the hole. TechSixtyFour asked for two months, but the request was denied. At first, the manufacturer tried to address the vulnerability and wound up blocking the researchers' accounts with HTTP 502 errors, according to Stykas. In the end, it was patched by January 16.
TechSixtyFour founder Colleen Wong defended her company's handling of security issues, noting that the gizmo maker maintains a full vulnerability disclosure policy, and since 2017 has undergone yearly penetration tests.
"We appreciate Ken Munro of Pen Test Partners disclosing this vulnerability to us, and our team have taken this seriously as our fix was completed within 48 hours. An internal investigation of the logs did not show that anybody had exploited this flaw for malicious purposes," Wong said in a statement to The Register on Friday.
She added that TechSixtyFour's engineers "implemented a partial fix within 12 hours. They then identified the root cause and deployed a full fix within 48 hours of the notification."
TechSixtyFour is not alone in catching heat for its shoddy GPS watch security. In November of last year, Pen Test Partners discovered multiple vendors were using insecure transmission methods, and Stykas doesn't expect any of the smartwatch makers to improve any time soon.
"On a wider scale the GPS watch market needs to ensure that their products are adequately tested. The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security," Stykas said.
"Our advice is to avoid watches with this sort of functionality like the plague. They don’t decrease your risk, they actively increase it." ®