Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Prints 'PWNED!' On Hundreds of GPS Watches' Maps Due To Unfixed API (zdnet.com)

Posted by BeauHD on from the gotta-do-what-ya-gotta-do dept.

An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps.

Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.

23 of 49 comments (clear)

  1. Waiting for the followup by Zak3056 · · Score: 2

    The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history.

    Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

    --
    What part of "shall not be infringed" is so hard to understand?
    1. Re:Waiting for the followup by redelm · · Score: 1

      Yes indeed. Powerful interests do not want devices to be seen as vulnerable, even from other manufacturerers. He has a defense if the German govt really tried a recall -- he could say he is assisting them.

      Otherwise, he should be extremely careful about travel, especially where the US has influence. If anyone in the US has this Austrian device and got hacked, he could be liable for "unauthorized access" under US law and extradited.

    2. Re:Waiting for the followup by parkinglot777 · · Score: 1

      Aaaaannd this is where the "white hat" crossed the line.

      So you mean because the company did nothing at all for over a year?

      ... after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers.

    3. Re:Waiting for the followup by ffkom · · Score: 1

      The German government did not attempt a "recall", but told its population in no uncertain terms that owning such a camouflaged eavesdropping device is a crime according to German law.

    4. Re:Waiting for the followup by ffkom · · Score: 1

      Indeed it would have been a much more clever idea for him to sell his knowledge anonymously to whatever crook pays best for the exploit.

      Exactly this is what the defect laws on "hacking" clearly ask for.

    5. Re:Waiting for the followup by Darinbob · · Score: 1

      "Researcher" is a loose title it seems, just claim it and it's yours. Food researcher, leisure researcher, porn researcher, etc.

    6. Re:Waiting for the followup by Darinbob · · Score: 2

      "Hey, you left your front door unlocked and even though it's a safe neighborhood it is my responsibility to teach you a security lesson by pooping on your coffee table.
      --
      Sincerely yours,
      Home Security Researcher"

    7. Re:Waiting for the followup by PKFC · · Score: 1

      So having RTFA and watching the video on his presentation, his initial concerns were reported to the vendor and a 90 day window to fix the vulnerabilities was given. The 90 day window lapsed and the story on the vulnerabilities were published in the media. As that applies to the initial vulnerabilities found, I do not know if that applies to the current data injection or if a new window was applied for this vulnerability, however, the presentation showed that there were 2900 and change devices active in 2019. The data injected to write pwned was applied to any device not active in 2019 which three months into the year seems like a fair assessment of a device that is no longer in use. I'd like to hear your suggestion on what more reasonable option is present on bringing attention to these issues. Like most things, it should be a matter of "trust, but verify" so this guy verified and found an issue. A government agency also investigated these devices, however it seems their investigation was not as through as this.

  2. Re:today I learned by jfdavis668 · · Score: 1

    I wonder what the German word for "pwned" is.

  3. Re:today I learned by Sique · · Score: 2

    I do too, and I am German.

    --
    .sig: Sique *sigh*
  4. "Researcher" by NicknameUnavailable · · Score: 2, Insightful

    What's with this new trend of calling every script kiddie under the sun a "researcher?"

    1. Re:"Researcher" by Anonymous Coward · · Score: 1

      Probably because this guy is part of Daimler's security team and presents research at security conferences. If that's a script kiddie, than I don't know what security researcher means to you.

    2. Re:"Researcher" by TeknoHog · · Score: 1

      If they knew what they were doing, they wouldn't call it research.

      --
      Escher was the first MC and Giger invented the HR department.
    3. Re:"Researcher" by NicknameUnavailable · · Score: 1

      Found a script kiddie.

  5. Re:today I learned by Exitar · · Score: 1

    Easy!

    Google translate:
    pawned -> verpfändet
    Remove 1st vowel
    pwnd -> vrpfändet

    And I'm neither English nor German!

  6. Re:today I learned by puddingebola · · Score: 2

    The German word for pwned is powenschreitaggewurstbelungblitzenzeitung.

  7. Re:today I learned by isj · · Score: 1

    blitzgekriegt ?

  8. Re:today I learned by fazig · · Score: 1

    Although some contextual translation into "besiegt" (defeated/beaten) or "erwischt" (busted/caught) or "vernichtet" (destroyed/annihilated) are possible here and there, there is no thought concept of "pwned" in the German language that can be associated with a specific word.
    Hence someone belonging to the younger generations in Germany would just say "pwned", if it isn't use within the context of a sentence that allows for a different expression to be used. Even then they may still say "pwned" because it's convenient.

    Although as of yet it has not been officially adopted into the German language through the Duden, it's certainly on the track to become a loanword.

  9. Re:today I learned by Sique · · Score: 1

    I would rather use "besetzt" (occupied). But "besetzt" has a different connotation than owned. Besetzt would always be preliminary, and not to stay, and it has also a connotation of illegality. "Besessen" has a double meaning, as it either means "has been owned" (and is no longer owned), or it means "bewitched".

    --
    .sig: Sique *sigh*
  10. Re:today I learned by Darinbob · · Score: 1

    Connotations of illegality aren't out of place with "pwned". It doesn't mean that there was a fair and open transaction taking place such that now I own your ass.

  11. RTFA by DrYak · · Score: 1

    Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

    He didn't do it for immediately demonstrating a flaw he'd just found, nor for the lulz.

    He spent a whole year (flaw was found in december 2017) attempted to try to work out with both the manufacturer (who according to the article eventually patched one single flaw of the long list in march 2018, but basically left the whole rest of the watch as a giant gaping security flaw) and with the authority (whose reactio aon was: "we did issue a ban for the smartwatch for children, we've already done our job" - despite the ban not being actively enforced and the products still being sold).

    Feeling powerless through the regular channels, he eventually decided to step out of the pure "white hat" approach, and go into whistle-blowing territory.

    Also, he did it on the data collection coming 300 watches which haven't been online since early 2018.
    i.e.: probably watches that aren't used anymore, perhaps because they were indeed destroyed/recycled back when the ban got issued.

    So he's very likely not even fucking with other people's data, but leftover data that isn't used anymore.

    TL;DR: At some point when all the official channels don't lead to anything constructive, some might start considering going the vigilante's route.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  12. Keeping the metaphore by DrYak · · Score: 1

    Except that, if you RTFA (yes, I know /. ):

    In this case, they have been leaving their door unlocked and wide-open in a very unsafe neighborhood (we're speaking about the internet here. That's really far from a secure place), for MORE THAN A YEAR.

    Be some insane luck, nothing horrible has hapenned yet. (Or didn't get reported to the authorities).

    Meanwhile, the researcher has spent the whole year trying to work it out, metaphorically writing letters and putting post-it notes to anyone concerned.

    He tried explaining to the manufacturer of the door, that they've basically forgot to put a lock on the door in the factory. Manufacturer responds by fix a hinge of the door which breaks easily, but forgets about everything else. (They only fixed 1 single flaw, ignoring everything else and still leaving everything vulnerable).

    He tried explaining to the law enforcement, who simply said that they've put recommendation for people to stop buing these doors - but aren't actually doing anything in practice to stop the door being sold in home improvement shops.

    Eventually, the researcher picked up 300 random houses which seemed abandonned for more that a year, and decided to teach a lesson by entering and pinning a giant "PWND!" poster to the wall of the living room of those houses.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  13. Re:today I learned by Sique · · Score: 1

    But that's only for pwned, not for owned. An owned car is by no means illegal property. A besetztes house definitely is.

    --
    .sig: Sique *sigh*