Activity

Roughly three million kids’ GPS watches can be tracked by parents. and any miscreant: Flaws spill pick-and-choose catalog for perverts

Gadgets can be hacked to spy on, find youngsters claim

Parents could be unwittingly putting their children’s safety and privacy at risk, thanks to security vulnerabilities in potentially millions of kids’ GPS-tracker watches.

These cheapo watches are meant to be worn by the youngsters, and use SIM cards to connect to cellular networks. The idea is they beam to backend servers the GPS-located coordinates of the wearer so their parents can, via a website or app, find out where the tykes are at year ’round.

GPS Tracking for law enforcement display any messages and take calls from guardians, can listen in on children’s activities using a microphone, and warn if the kid has strayed out of your particular area, such as the playground.

However, an investigation by British security shop Pen Test Partners has shown that the software used by a smartphone app that communicates with watches is so poorly coded that the connections are simple to hijack. This means miscreants can snoop on kids as if they were their parents.

The probe began when a friend of one of your infosec bods obtained a MiSafes Kid’s Watcher for his offspring, a snap at just 10 for the unit. But after playing around with it, they found shocking levels of insecurity. It appears that the same weak code has been reused in a lot of other GPS watches, too.

"We believe that in excess of ones million smart kids tracking watches with a similar vulnerabilities are being used, possibly at substantially more than 3 million globally," said researcher Alan Monie on . "These are sold under numerous brands, but all appear to employ a remarkably similar APIs, suggesting a common original device manufacturer or ODM."

No encryption – what is this, the 1990s?

The key is actually that the app and the GPS watch do not encrypt their communications, and transmit virtually all data in plain text for you to definitely snoop on or meddle with. Contains profile pictures, names, gender, dates of birth, height, weight, and so on, of the tot. The watches talk to backend servers, circumstances servers pass on his or her info to apps used by the oldsters.

By simply intercepting and changing the user ID number all of the phone app’s request to the backend servers for information on a child, you get full access to data on that specific youngster. In other words, you could make an API request using any ID number and you can obtain the photograph, whereabouts, and other details for the child of that Recognition. You can set the ID to what you like, and establish a shopping catalog of potential victims for savvy predators.

Thus, a miscreant or pervert could, for example, just buy one with the things, tamper an issue backend connection using Burp Suite built similar tool for the network, and abuse the vulnerability to request the whereabouts of strangers’ kids, who may be playing on their own. Scumbags could also send messages to kids to trick them into accepting a ride from the neighborhood stranger, who occurs know exactly where they are.

Seeing as watch communicates every five minutes, you also track the location of a child in near-real-time.

After Monie wrote a simple C# program to automate this process, nevertheless have been eager to access the accounts of over 12,000 MiSafe watches, and also download a photo of each child, plus their name and other aforementioned personal details, in addition to the phone number of the parents and of the watch itself.

To stop just anyone calling the newborn’s watch, the device has a white-list of approved unlisted cell phone. But the caller ID is to be able to spoof, so someone could make a call or message that appeared to are due to a parent or trusted party.

It’s also child’s play to hijack the watch’s remote listening facility, turning it into a bugging machine. The only indication that something is amiss is a busy sign on components face.

"These new attack vectors can furthermore be performed remotely (including capturing the IMEI remotely), but allow an attacker to build up a global picture of the location of all the children," said Monie. "Combined with caller identification spoofing, this attack becomes really horrible."

Attempts to contact the manufacturer have not by Pen Test Partners and ourselves so it’s unlikely that the devices will be patched. We advise parents to make the devices safe themselves, by deleting the app and disassembling the watches along with a large hammer or brick.