Last year, researchers in Norway discovered several major security flaws in kids GPS watches. These flaws could give any hacker access to the child’s watch and allow them to use the camera, talk to the child, and stalk them. Now, the researchers have decided to see if anything has changed with the security of the watches.
See our podcast interview highlighting the issue here: https://latesthackingnews.com/2018/11/20/latest-hacking-news-podcast-167/
Status Quo
Researchers at Pen Test Partners decided to test TechSixtyFour’s Gator watch which was one of the devices that scored poorly. In the new report, Pen Test Partners were less than impressed. They stated:
“Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches.”
Vangelis Stykas from Pen Test Partners found that they could change the user level to “super admin access” via a web portal in the Gator 3. He also said that the system didn’t check whether the user should have this level of access.
Stykas went on to say that child predators or malicious attackers could have snooped on as many as 20,000 customer accounts and 35,000 affected devices.
NCC Report
In 2017, the Norwegian Consumer Council (NCC) issued a report about the internet-of-things wrist wraps. The report caused a lot of bad press and led to companies like John Lewis pulling the Gator 2 kids GPS watches.
TechSixtyFour founder Coleen Wong later wrote on the company’s blog in November 2018 that they were working on the issues. Wong stated that they had performed a complete month-long system overhaul and hired a vulnerability assessment firm to work with the company.
Vulnerability Patched
The company TechSixtyFour is the UK distributor for the Gator watches. The back-end service is from a Chinese company called Caref Watch Co Ltd. The web element used to change user access was removed but still left the flaw in place. Later, Caref apologized and removed the form and parameter. The flaw was fully patched from 16 January.
Stykas has stated that because of the low price point of these watches, there is little revenue available to cover the cost of security. He said their advice was to avoid such watches, as they “don’t decrease your risk, they actively increase it.”
Alternatively analogue watches would never suffer from such issues 😀
