Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Saturday November 17 2018, @10:24AM   Printer-friendly
from the let-the-internet-do-the-helicopter-parenting-for-you dept.

Up to Three Million Kids' GPS Watches can be Tracked by Parents... and any Miscreant:

Parents could be unwittingly putting their children's safety and privacy at risk, thanks to security vulnerabilities in potentially millions of kids' GPS-tracker watches.

These cheapo watches are supposed to be worn by the youngsters, and use SIM cards to connect to cellular networks. The idea is they beam to backend servers the GPS-located coordinates of the wearer so their parents can, via a website or app, find out where the tykes are at all times.

The devices also display any messages and take calls from guardians, can listen in on a child's activities using a microphone, and warn if the kid has strayed out of a particular area, such as the playground.

However, an investigation by British security shop Pen Test Partners has shown that the software used by a smartphone app that communicates with the watches is so poorly coded that the connections are easy to hijack. This means miscreants can snoop on kids as if they were their parents.

[...] "We believe that in excess of a million smart kids tracking watches with similar vulnerabilities are being used, possibly in excess of 3 million globally," said researcher Alan Monie on Tuesday. "These are sold under numerous brands, but all appear to use remarkably similar APIs, suggesting a common original device manufacturer or ODM."

[...] The key problem is that the app and the GPS watch do not encrypt their communications, and transmit virtually all data in plain text for anyone to snoop on or meddle with. This includes profile pictures, names, gender, dates of birth, height, weight, and so on, of the child. The watches talk to backend servers, and those servers pass on the info to apps used by the parents.

By simply intercepting and changing the user ID number in the phone app's request to the backend servers for information on a child, you can gain full access to data on that particular youngster. In other words, you can make an API request using any ID number and you'll get the photograph, whereabouts, and other details for the child of that ID. You can set the ID to anything you like, and produce a shopping catalog of potential victims for savvy predators.

Thus, a miscreant or pervert could, for example, just buy one of these things, tamper with the backend connection using Burp Suite or a similar tool on the network, and abuse the vulnerability to request the whereabouts of strangers' kids, who may be playing on their own. Scumbags could also send messages to kids to trick them into accepting a ride from a stranger, who happens to know exactly where they are.

Seeing as watch communicates every five minutes, you can also track the location of a child in near-real-time.

After Monie wrote a simple C# program to automate this process, he would have been able to access the accounts of over 12,000 MiSafe watches, and also download a photo of each child, plus their name and other aforementioned personal details, as well as the phone number of the parents and of the watch itself.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by DrkShadow on Saturday November 17 2018, @03:37PM

    by DrkShadow (1404) on Saturday November 17 2018, @03:37PM (#763123)

    I don't think that word means what you think it means.

    Parents could be unwittingly putting their children's [...] privacy at risk[.]

    The idea is they beam to backend servers the GPS-located coordinates of the wearer so their parents can, via a website or app, find out where the tykes are at all times. The devices also display any messages and take calls from guardians, can listen in on a child's activities using a microphone[.]

    How draconian. It's the ones who _don't_ suffer this treatment that are able and capable of dealing with the world, and that end up successful. These ones just end up dependent. And the horror -- the possibility that someone might overhear your spying over an HTTP link while you're in a coffee shop on an untrusted internet connection, to be able to go to the place the kid probably won't be in 15 minutes when the nefarious individual arrives! Gasp!

    I do hope it was the original author's intent to draw attention to just how fucked up this whole thing is rather than someone being able to "eavesdrop" an internet link.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2