Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Prints 'PWNED!' On Hundreds of GPS Watches' Maps Due To Unfixed API (zdnet.com)

Posted by BeauHD on from the gotta-do-what-ya-gotta-do dept.

An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps.

Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.

49 comments

  1. check out their talks on youtube by Anonymous Coward · · Score: 0

    https://www.youtube.com/channe...

    i worked for enno in the past :)

  2. Waiting for the followup by Zak3056 · · Score: 2

    The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history.

    Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

    --
    What part of "shall not be infringed" is so hard to understand?
    1. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      So the alternative is to leave it and maybe let paedophiles quietly track the children?

    2. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      Being a vigilante is still a crime, regardless.

    3. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      If protecting yourself is a crime, then the law is defective and deserves no respect.

    4. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      The fake GPS coordinates in People's history concerns me more for crime and framing people. Knowing how shitty security is overall in the consumer sphere, I would hate to see convictions on based on some of this "evidence".

    5. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      Fucking with other people's private data is protecting yourself?

    6. Re:Waiting for the followup by redelm · · Score: 1

      Yes indeed. Powerful interests do not want devices to be seen as vulnerable, even from other manufacturerers. He has a defense if the German govt really tried a recall -- he could say he is assisting them.

      Otherwise, he should be extremely careful about travel, especially where the US has influence. If anyone in the US has this Austrian device and got hacked, he could be liable for "unauthorized access" under US law and extradited.

    7. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      Technically its like a 737 max software bug, only worse. Like the company KNEW and did nothing. if one was on a jury, one would find damage and misfeasance against the manufacturer.

      A better idea would more co-ordinates that read 'Return for a full refund - defective product with security and privacy issues'.' After that - the stores just might never stock their product again.

    8. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      Yes your honor, I smashed his window and stole his TV for my protection.

    9. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      Your data isn't private if any fool can mess with it.

    10. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      You do what you gotta do...

    11. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      Yes. It's not his job to police the security of other companies. He's acting like a Cherub of Justice and he really needs to get a life.

      Oh and "think of the children" is a lame excuse. Children are the responsibility of their parents or legal guardians.

    12. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      In fact, I can prove it.

      See how the front of the TV is now smashed in? That's where I used the TV to protect myself from his baseball bat.

    13. Re:Waiting for the followup by parkinglot777 · · Score: 1

      Aaaaannd this is where the "white hat" crossed the line.

      So you mean because the company did nothing at all for over a year?

      ... after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers.

    14. Re:Waiting for the followup by ffkom · · Score: 1

      The German government did not attempt a "recall", but told its population in no uncertain terms that owning such a camouflaged eavesdropping device is a crime according to German law.

    15. Re:Waiting for the followup by ffkom · · Score: 1

      Indeed it would have been a much more clever idea for him to sell his knowledge anonymously to whatever crook pays best for the exploit.

      Exactly this is what the defect laws on "hacking" clearly ask for.

    16. Re:Waiting for the followup by Anonymous Coward · · Score: 0

      I hate you anti-vigilante pussies.

    17. Re:Waiting for the followup by Darinbob · · Score: 1

      "Researcher" is a loose title it seems, just claim it and it's yours. Food researcher, leisure researcher, porn researcher, etc.

    18. Re:Waiting for the followup by Darinbob · · Score: 2

      "Hey, you left your front door unlocked and even though it's a safe neighborhood it is my responsibility to teach you a security lesson by pooping on your coffee table.
      --
      Sincerely yours,
      Home Security Researcher"

    19. Re:Waiting for the followup by PKFC · · Score: 1

      So having RTFA and watching the video on his presentation, his initial concerns were reported to the vendor and a 90 day window to fix the vulnerabilities was given. The 90 day window lapsed and the story on the vulnerabilities were published in the media. As that applies to the initial vulnerabilities found, I do not know if that applies to the current data injection or if a new window was applied for this vulnerability, however, the presentation showed that there were 2900 and change devices active in 2019. The data injected to write pwned was applied to any device not active in 2019 which three months into the year seems like a fair assessment of a device that is no longer in use. I'd like to hear your suggestion on what more reasonable option is present on bringing attention to these issues. Like most things, it should be a matter of "trust, but verify" so this guy verified and found an issue. A government agency also investigated these devices, however it seems their investigation was not as through as this.

  3. Re:today I learned by jfdavis668 · · Score: 1

    I wonder what the German word for "pwned" is.

  4. Re:today I learned by Sique · · Score: 2

    I do too, and I am German.

    --
    .sig: Sique *sigh*
  5. Children and the elderly? by Anonymous Coward · · Score: 0

    I guess it's cool to to troll GPS watch maps for people between the ages of 18 to 65...but when you do it to children and the eldery...HACKING IS NOT COOL!!!! NOT COOL.

  6. "Researcher" by NicknameUnavailable · · Score: 2, Insightful

    What's with this new trend of calling every script kiddie under the sun a "researcher?"

    1. Re: "Researcher" by Anonymous Coward · · Score: 0

      Painting a default negative view of the term "security researcher", just like how the term "hacker" is commonly viewed as a negative.

      Misappropriation does wonders for cultural bastardization.

    2. Re:"Researcher" by Anonymous Coward · · Score: 1

      Probably because this guy is part of Daimler's security team and presents research at security conferences. If that's a script kiddie, than I don't know what security researcher means to you.

    3. Re:"Researcher" by Anonymous Coward · · Score: 0


      What's with this new trend of calling every script kiddie under the sun a "researcher?"

      It's a hell of a lot better than the old days when Geraldo Rivera called Kevin Mitnick a "digital Hannibal Lecter", and every news article about some kid copying a game online, or screwing around with a Bearcat scanner listening to cell phone frequencies made them into some sort of Bond Villain.

      If only we'd know to use the word "security researcher" instead of hacker, we could have avoided all that media BS of the 80s and 90s.

    4. Re:"Researcher" by Anonymous Coward · · Score: 0

      Dunno, I'm still trying to figure out the trend where asshats on Slashdot make ignorant, condescending posts about security researchers.

    5. Re:"Researcher" by Anonymous Coward · · Score: 0

      Security tester is the right word. Then Security Engineer.
      Researchers research, building on existing knowledge. Hopefully consumer law like 'fit for use' ;of merchantable quality' and durability issues make the purveyor accountable for defective product.

    6. Re:"Researcher" by TeknoHog · · Score: 1

      If they knew what they were doing, they wouldn't call it research.

      --
      Escher was the first MC and Giger invented the HR department.
    7. Re:"Researcher" by NicknameUnavailable · · Score: 1

      Found a script kiddie.

  7. Re:today I learned by Exitar · · Score: 1

    Easy!

    Google translate:
    pawned -> verpfändet
    Remove 1st vowel
    pwnd -> vrpfändet

    And I'm neither English nor German!

  8. Re:today I learned by puddingebola · · Score: 2

    The German word for pwned is powenschreitaggewurstbelungblitzenzeitung.

  9. Re:today I learned by Anonymous Coward · · Score: 0

    "pwned" is supposed to be a typo of "owned"

    So, google translate:
    owned -> im Besitz
    So, "besitz!" for short.
    Typo of "b" on QWERTY is likely to be "v"

    So vesitz is the most likely candidate.

  10. He really shouldn't have done that... apk by Anonymous Coward · · Score: 0

    He really shouldn't have done that - that'd be like me saying "well, I know hosts work for security so write a virus to immunize everyone, like it or not" (which would be wrong of course).

    I don't do that - I merely offer a tool others can use, freely & most importantly, VOLUNTARILY of their own volition.

    * I do understand that @ times these guys go for "responsible disclosure" & get ATTACKED by the organization w/ the security error though (almost like "you can't win trying to do the 'right thing'" etc. - et al) though - which is also BOGUS & WRONG.

    (Especially if they go thru the "proper channels/procedure" approaching the company w/ the problem in their software or hardware).

    APK

    P.S.=> He should NOT have done what he did - that's "hacking/cracking" (by "FORCIBLY PROVING YOUR POINT") imo... apk

  11. Re:today I learned by isj · · Score: 1

    blitzgekriegt ?

  12. Re:today I learned by Anonymous Coward · · Score: 0

    You are partially correct. "owned", in this instance, is simple present passive, though

    That's why, retrofitting the typo you applied, "pwned!" would translate to "vesessen!" or more precisely "in Vesitz genommen!"; add a few more typos to stay in character...

  13. Re:today I learned by fazig · · Score: 1

    Although some contextual translation into "besiegt" (defeated/beaten) or "erwischt" (busted/caught) or "vernichtet" (destroyed/annihilated) are possible here and there, there is no thought concept of "pwned" in the German language that can be associated with a specific word.
    Hence someone belonging to the younger generations in Germany would just say "pwned", if it isn't use within the context of a sentence that allows for a different expression to be used. Even then they may still say "pwned" because it's convenient.

    Although as of yet it has not been officially adopted into the German language through the Duden, it's certainly on the track to become a loanword.

  14. Re:today I learned by Sique · · Score: 1

    I would rather use "besetzt" (occupied). But "besetzt" has a different connotation than owned. Besetzt would always be preliminary, and not to stay, and it has also a connotation of illegality. "Besessen" has a double meaning, as it either means "has been owned" (and is no longer owned), or it means "bewitched".

    --
    .sig: Sique *sigh*
  15. Re:today I learned by Darinbob · · Score: 1

    Connotations of illegality aren't out of place with "pwned". It doesn't mean that there was a fair and open transaction taking place such that now I own your ass.

  16. RTFA by DrYak · · Score: 1

    Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

    He didn't do it for immediately demonstrating a flaw he'd just found, nor for the lulz.

    He spent a whole year (flaw was found in december 2017) attempted to try to work out with both the manufacturer (who according to the article eventually patched one single flaw of the long list in march 2018, but basically left the whole rest of the watch as a giant gaping security flaw) and with the authority (whose reactio aon was: "we did issue a ban for the smartwatch for children, we've already done our job" - despite the ban not being actively enforced and the products still being sold).

    Feeling powerless through the regular channels, he eventually decided to step out of the pure "white hat" approach, and go into whistle-blowing territory.

    Also, he did it on the data collection coming 300 watches which haven't been online since early 2018.
    i.e.: probably watches that aren't used anymore, perhaps because they were indeed destroyed/recycled back when the ban got issued.

    So he's very likely not even fucking with other people's data, but leftover data that isn't used anymore.

    TL;DR: At some point when all the official channels don't lead to anything constructive, some might start considering going the vigilante's route.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  17. Keeping the metaphore by DrYak · · Score: 1

    Except that, if you RTFA (yes, I know /. ):

    In this case, they have been leaving their door unlocked and wide-open in a very unsafe neighborhood (we're speaking about the internet here. That's really far from a secure place), for MORE THAN A YEAR.

    Be some insane luck, nothing horrible has hapenned yet. (Or didn't get reported to the authorities).

    Meanwhile, the researcher has spent the whole year trying to work it out, metaphorically writing letters and putting post-it notes to anyone concerned.

    He tried explaining to the manufacturer of the door, that they've basically forgot to put a lock on the door in the factory. Manufacturer responds by fix a hinge of the door which breaks easily, but forgets about everything else. (They only fixed 1 single flaw, ignoring everything else and still leaving everything vulnerable).

    He tried explaining to the law enforcement, who simply said that they've put recommendation for people to stop buing these doors - but aren't actually doing anything in practice to stop the door being sold in home improvement shops.

    Eventually, the researcher picked up 300 random houses which seemed abandonned for more that a year, and decided to teach a lesson by entering and pinning a giant "PWND!" poster to the wall of the living room of those houses.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  18. Re:today I learned by Sique · · Score: 1

    But that's only for pwned, not for owned. An owned car is by no means illegal property. A besetztes house definitely is.

    --
    .sig: Sique *sigh*