Slashdot Mirror
TicTocTrack Smartwatch Flaws Can Be Abused To Track Kids (threatpost.com)
secwatcher shares a report from Threatpost: A popular smartwatch that allows parents to track their children's whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children. Researchers at Pen Test Partners revealed vulnerabilities in the watch (sold in Australia) on Monday, which could enable hackers to track children's location, spoof the child's location or view personal data on the victims' accounts. The parent company of the TicTocTrack watch, iStaySafe Pty Ltd., has temporarily restricted access to the watch's service and app while it investigates further. Researchers found that the service's back end does not make any authorization attempt on any request -- besides the user having a valid username and password combination. That means that an attacker who is logged into the service could remotely compromise the app and track other accounts that are based in Australia.
The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features. The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data -- including the children's location, parent's full names, phone numbers and other personal identifiable information. Researchers with Pen Test Partners collaborated with security researcher Troy Hunt to test the attack. Hunt uploaded a video showing how the smartwatch vulnerability could be exploited to call his daughter -- and how her smartwatch would answer automatically without any interaction needed from her end.
The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features. The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data -- including the children's location, parent's full names, phone numbers and other personal identifiable information. Researchers with Pen Test Partners collaborated with security researcher Troy Hunt to test the attack. Hunt uploaded a video showing how the smartwatch vulnerability could be exploited to call his daughter -- and how her smartwatch would answer automatically without any interaction needed from her end.
I tried calling his daughter but for some reason she never picks up. On the plus side, I was able to use the watch to have his Tesla pick me up and give me a ride to work. 3 stars, would buy again.
If they treat it as a consumer product, there should be a minimum set of security guidelines and steps a company is required to take. None of this "license agreement" crap.
However, writing down the guidelines and steps in a clear-cut way into law is difficult. If the text is too specific, then companies find a way around them, and if they are too general, they are messy and expensive to enforce, for both sides. This includes abuse of law against the company. A fuzzy cannon shoots out of both ends.
Table-ized A.I.
This is hardly the first report of kids' smartwatches being insecure tracking devices. We've heard that in 2017, in 2018 again, quite bluntly, if you haven't heard it by now, you probably don't give a rat's ass about your kids' privacy.
Then again, buying such a watch is already a pretty good indicator that you don't give a fuck about your kids' privacy, so...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.