Domain: pentestpartners.com
Stories and comments across the archive that link to pentestpartners.com.
Stories · 6
-
TicTocTrack Smartwatch Flaws Can Be Abused To Track Kids (threatpost.com)
secwatcher shares a report from Threatpost: A popular smartwatch that allows parents to track their children's whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children. Researchers at Pen Test Partners revealed vulnerabilities in the watch (sold in Australia) on Monday, which could enable hackers to track children's location, spoof the child's location or view personal data on the victims' accounts. The parent company of the TicTocTrack watch, iStaySafe Pty Ltd., has temporarily restricted access to the watch's service and app while it investigates further. Researchers found that the service's back end does not make any authorization attempt on any request -- besides the user having a valid username and password combination. That means that an attacker who is logged into the service could remotely compromise the app and track other accounts that are based in Australia.
The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features. The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data -- including the children's location, parent's full names, phone numbers and other personal identifiable information. Researchers with Pen Test Partners collaborated with security researcher Troy Hunt to test the attack. Hunt uploaded a video showing how the smartwatch vulnerability could be exploited to call his daughter -- and how her smartwatch would answer automatically without any interaction needed from her end. -
'Smart' Car Alarm App Could Allow 3 Million Cars To Be Unlocked Remotely (cnet.com)
"Two popular smart alarm systems for cars had major security flaws that allowed potential hackers to track the vehicles, unlock their doors and, in some cases, cut off the engine," reports CNET: The vulnerabilities could be exploited with two simple steps, security researchers from Pen Test Partners, who discovered the flaw, said Friday. The problems were found in alarm systems made by Viper [known as Clifford in the U.K.] and Pandora Car Alarm System, two of the largest smart car alarm makers in the world. The two brands have as many as 3 million customers between them and make high-end devices that can cost thousands...
Both apps' API didn't properly authenticate for update requests, including requests to change the password or email address. Ken Munro, founder of Pen Test Partners, said that all his team needed to do was send the request to a specific host URL and they were able to change an account's password and email address without notifying the victim that anything happened. Once they had access to the account, the researchers had full control of the smart car alarm. This allowed them to learn where a car was and unlock it. You don't have to be near the car to do this, and the accounts can be taken over remotely, Munro said. Potential attackers could also use the apps' API to target specific types of cars, the security researcher added...
Pandora's alarm system also contained a microphone that would've allowed potential hackers to listen in on live audio, the security company found.
Both companies fixed the issue in less than a week, CNET reports, possibly due to the seriousness of the issue. In a video demonstrating the severity of the bug, security researcher Munro even uses the driver's app to set off a car's alarms remotely. When that driver began pulling over, Munro then used the app to cut off the car's engine. "So simple, so serious," he said.
ZDNet notes that one of the companies had been advertising their "smart" alarms as "unhackable". -
Attackers Can Track Kids' Locations Via Connected Watches
secwatcher shares a report from Threatpost: A gamut of kids' GPS-tracking watches are exposing sensitive data involving 35,000 children -- including their location, in real time. Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research. "A year on, we decided to have a look at the Gator watch again to see how their security had improved," said Vangelis Stykas, in a Tuesday posting. "Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents' details etc. Not just Gator watches either -- the same back end covered multiple brands and tens of thousands of watches." "At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control," reports Threatpost. "An attacker with access to the watch's credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information." -
MiSafes' Child-Tracking Smartwatches Are 'Easy To Hack' (bbc.com)
The location-tracking "MiSafe" smartwatch may not be as safe as the name proclaims. According to security researchers from Pen Test Partners, the watches are easy to hack as they do not encrypt the data they use or secure each child's account. The researchers found that they could track children's movements, surreptitiously listen in to their activities and make spoof calls to the watches that appeared to be from parents. The BBC reports: The MiSafes watch was first released in 2015. It uses a global positioning system (GPS) sensor and a 2G mobile data connection to let parents see where their child is, via a smartphone app. In addition, parents can create a "safe zone" and receive an alert if the child leaves the area. The adult can also listen in to what their offspring is doing at any time and trigger two-way calls.
Pen Test Partner's Ken Munro and Alan Monie learned of the product's existence when a friend bought one for his son earlier this year. Out of curiosity, they probed its security measures and found that easy-to-find PC software could be used to mimic the app's communications. This software could be used to change the assigned ID number, which was all it took to get access to others' accounts. This made it possible to see personal information used to register the product, including: a photo of the child; their name, gender and date of birth; their height and weight; the parents' phone numbers; and the phone number assigned to the watch's Sim card. -
Tattling Kettles Help Researchers Crack WiFi Networks In London (pentestpartners.com)
New submitter campuscodi writes: Security researchers at Pen Test Partners have found a security vulnerability in the iKettle Wi-Fi Electric Kettle that allows attackers to crack the password of the WiFi network to which the kettle is connected. Researchers say that using this simple trick and information about iKettles, they drove around London, cracked home WiFi networks, and created a map of insecure WiFi networks across the city. The same researchers cracked a Samsung smart-fridge this summer to disclose Gmail passwords. If you have 6 minutes, there's a YouTube video you can watch. -
Samsung Smart TVs Don't Encrypt the Voice Data They Collect
itwbennett writes A week ago, the revelation that Samsung collects words spoken by consumers when they use the voice recognition feature in their smart TVs enraged privacy advocates, since according to Samsung's own privacy policy those words can in some cases include personal or sensitive information. Following the incident, David Lodge, a researcher with a U.K.-based security firm called Pen Test Partners, intercepted and analyzed the Internet traffic generated by a Samsung smart TV and found that Samsung does send captured voice data to a remote server using a connection on port 443, a port typically associated with encrypted HTTPS, but that the data was not encrypted. "It's not even HTTP data, it's a mix of XML and some custom binary data packet," said Lodge in a blog post.