Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Can Track Kids' Locations Via Connected Watches

Posted by BeauHD on from the kids-safety dept.

secwatcher shares a report from Threatpost: A gamut of kids' GPS-tracking watches are exposing sensitive data involving 35,000 children -- including their location, in real time. Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research. "A year on, we decided to have a look at the Gator watch again to see how their security had improved," said Vangelis Stykas, in a Tuesday posting. "Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents' details etc. Not just Gator watches either -- the same back end covered multiple brands and tens of thousands of watches." "At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control," reports Threatpost. "An attacker with access to the watch's credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information."

18 of 33 comments (clear)

  1. The good news is by Anonymous Coward · · Score: 1

    you always know where your kid is. The bad news is, so does everyone else.

  2. Re:Is that a crime? by fermion · · Score: 1

    No crime, just lawsuits. one kid get nabbed and the company issued to oblivion.

    --
    "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  3. No shit, Sherlock by DogDude · · Score: 1

    I'd guess that 90% of things connected to the Internet today shouldn't be. But, people are lazy. So, nothing will change.

    --
    I don't respond to AC's.
    1. Re:No shit, Sherlock by Anonymous Coward · · Score: 1

      Who had the weird idea that kid locations should go into a database?

      If I made such a system, I'd make it so the kid location is sent directly to the parent's device (phone or pc). No intermediary. (Other than the network itself, but encryption prevents snooping there.) No cloud. No company server somewhere. So even if hackers overran my company, they couldn't get any locations. It'd be cheaper for my company too - not having to store the location of hundred thousand kids in realtime, and no worrying about lawsuits if a kidnapping ring hacks my company computer.

      What is it with this sickness, that everything has to go through someone's server? Even when said server adds no value to the system? I once had some students make a simple multiplayer phone game - where they played using bluetooth/network without any server inbetween. People who saw it found that aspect so special - for me it was just the natural way of doing it. No server needed, so the game could be played even without a connection to the global Internet. As it should be.

    2. Re:No shit, Sherlock by stealth_finger · · Score: 1

      Who had the weird idea that kid locations should go into a database?

      If I made such a system, I'd make it so the kid location is sent directly to the parent's device (phone or pc). No intermediary. (Other than the network itself, but encryption prevents snooping there.) No cloud. No company server somewhere.

      Yeah, but then how would you sell that data to third parties?

      --
      Wanna buy a shirt?
      https://www.redbubble.com/people/stealthfinger/shop?asc=u
    3. Re:No shit, Sherlock by Opportunist · · Score: 1

      And how do you plan to sell the data that you don't have access to?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Stranger attacks? by dryeo · · Score: 4, Insightful

    How many actual stranger attacks on children are there? Seems like a lot because it sells news, so it is over reported. There was one around here about 30 years back, sad because the kid vanished at a baseball game, but the news still talks about it.
    Most child kidnappings seem to be by their divorced other parent and even most molestation is by relatives, friends and trusted figures like the priest, coach or scout leader.

    --
    https://en.wikipedia.org/wiki/Inverted_totalitarianism
    1. Re:Stranger attacks? by Opportunist · · Score: 2

      While I agree 100%, the thing here is that the exposure to the threat is unnecessary. It is possible to implement this in a secure manner with very little effort. If this was only possible with a lot of expense or at the expense of functionality, I'd be right with you. But what we are dealing here is just lazy engineering, opening a security hole where none needs to exist.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:Stranger attacks? by mjwx · · Score: 1

      How many actual stranger attacks on children are there? Seems like a lot because it sells news, so it is over reported. There was one around here about 30 years back, sad because the kid vanished at a baseball game, but the news still talks about it.
      Most child kidnappings seem to be by their divorced other parent and even most molestation is by relatives, friends and trusted figures like the priest, coach or scout leader.

      Whilst you're 100% correct that most child disappearances (well, kidnappings and disappearances in general) are done by family or close, trusted people, the reason why we still talk about it 30 years later is because we're genetically programmed to care about children, and not just our own. This genetic programming is often combined with the media's love of hyperbole to get eyeballs to blow stories completely out of proportion (erm... see Madeline McCann).

      However it also should be noted that the last 30 (probably 50) years there's been a huge emphasis on teaching children about the dangers of strangers which has done a lot to cut down on abductions.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    3. Re:Stranger attacks? by CrimsonAvenger · · Score: 1

      However it also should be noted that the last 30 (probably 50) years there's been a huge emphasis on teaching children about the dangers of strangers which has done a lot to cut down on abductions.

      Citation?

      Children kidnapped by strangers happens so infrequently that it's hardly a blip, and pretty much always has been. Runaways are ~1000x more numerous. And "missing children" as a result of miscommunication (Grandma picks up the kids from school because Dad asked her to, and Mom, not knowing this, panics - or switch position of Mom and Dad, same deal) are even more numerous....

      --

      "I do not agree with what you say, but I will defend to the death your right to say it"
  5. Re:Why would you by Anonymous Coward · · Score: 1

    Probably the same selfish animal instincts that got them the kid in the first place.

  6. Re:Why would you by dwillden · · Score: 1

    We have a similar device, the location feature is just an extra. I've used it more to figure out where the kid left the watch when he's taken it off. (ex. At the pool during swimming lessons, it fell underneath the bench where he and his brothers' towels were so didn't get picked up and put back on after the lesson ended.)

    We've also sent the then 11 y/o across town on the commuter rail system and I use it to ensure he gets off at the right stop to be met by his mother.

    It's a slow process, it takes about a minute to poll the device and update the location every time you check it. But if in doubt I can get a general idea of where he is.

    Also a local news story covered an attempted kidnapping, thwarted in part due to one of these watches a couple years ago. https://www.ksl.com/article/41008494

    --
    I'm too lazy to compose a creative sig.
  7. Or an attacker could use their eyes by johnsie · · Score: 1

    Easy to track someone when you're standing beside them.

    1. Re:Or an attacker could use their eyes by Opportunist · · Score: 1

      Sure, but you could be seen by someone who thinks it's odd that an adult undresses a kid with his eyes and follows said kid around. People do tend to be sensitive to that kind of thing by now.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  8. Re:Is that a crime? by Opportunist · · Score: 2

    Or someone pissed enough of the whole IoT makers flaunting their disregard for the privacy of their users who doesn't give a shit about kids who makes a webpage that tracks every kid and puts their whereabouts and how to pretend you're daddy when luring them somewhere...

    Hold my beer.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Change the entire system, this has gone too far. by Anonymous Coward · · Score: 1

    Even worse, your own government can track individual citizens with the same kind of devices. On top of that,all your interaction data is being sold to other people and companies, sometimes with complete profiles of you.

    That seems equally as bad,if not worse. Why not fix the root problem rather than 'think of the children' lameisms

    I don't want to be tracked or sold either. Child, adult, why should it matter?

  10. 6+ years of this shit... Will anything happen? by wardrich86 · · Score: 1

    I've been reading stories like this since at least 2012 with some VTech devices. When will the manufacturers be held accountable for the shit security in their devices?

  11. Attackers indisutinguishable from company by hermi · · Score: 1

    It's not worse that attackers can do that than that the company can do that.