Researchers point out the vulnerabilities of inexpensive smart watches that track children's location information


by

Thor Alvis

The role of smart watches and position trackers for children is to keep children safe by knowing where they are now. However, security researchers have pointed out that many of these products have been developed by Chinese companies with sloppy security measures, so that malicious persons can examine child location information. The

IoT Vuln Disclosure: Children's GPS Smart Watches (R7-2019-57)
https://blog.rapid7.com/2019/12/11/iot-vuln-disclosure-childrens-gps-smart-watches-r7-2019-57/



Rapidsecurity , a cybersecurity company, provides penetration testing services as part of training to examine how attackers who launch cyber attacks can exploit system vulnerabilities.

Under the guidance of Deral Heiland, IoT leader, Rapid7 ’s research team has begun investigating whether children ’s GPS-enabled smartwatches are vulnerable. The subjects of the survey were smart watches purchased from Amazon, including ' Children's SmartWatch ', ' G36 Children's Smartwatch ' and ' SmarTurtles Kid's Smartwatch '. During the survey, it was revealed that the three smart watches had almost the same hardware and software, and they all had the same vulnerabilities.



All three smartwatches are expected to be used with iPhone or Android apps, and use '

SeTracker ' or ' SeTracker2 ' as a back-end cloud service and application. Both apps were developed by a developer called wcr , and the app index service AppBrain revealed that the developer account called “wcr” was related to 3G Electronics , a Chinese company based in Shenzhen. The smartwatch body is also estimated to be a localized version of what 3G Electronics provided.

According to the Rapid7 research team, these smart watches for children have one technical vulnerability and two problems that are not related to the technical part. The technical vulnerability is “ lack of SMS filtering function ”, and the other two problems are “ the initial password of the device is not written anywhere ” and “ contact of the terminal vendor The point is not written '.

◆ Contact information of the device seller is not written
Regarding the point that `` the contact information of the seller of the terminal is not written '', Rapid 7 seems to have checked the contact by various methods, but it is `` not possible to contact any of the smart watches with the seller side '' It was possible. ' There seems to be an official website for SmarTurtles Kid's Smartwatch, but there is no way to contact the seller.

That's why Rapid7 says `` If you are interested in the safety, privacy, and security of cloud services related to chairs in IoT, we recommend that you do not use products that cannot be clearly identified by the seller. '' Is written.



As mentioned above, none of the smartwatches could identify the contact information of the seller, but Rapid7 has succeeded in identifying the email address of 3G Electronics, which is considered to be the developer. However, when you send a message that you received a message that another email address is the correct contact and sent a contact to the correct email address, the storage of the destination email account has reached the limit and the email I received a message saying that I couldn't send it, and I couldn't get in touch.

◆ Lack of SMS filtering function
The survey subject is a smart watch for children, and it seems that the instruction manual states that only a specific phone number is designed to communicate with the smart watch. The phone numbers that can be contacted are said to have been added to the app's white list, but in fact the filter function doesn't seem to work. Rapid7 points out that it may be possible to exchange messages with phone numbers that are not on the whitelist.

Also, since it is

easy to forge the phone number of the sender , even if the SMS filtering function is implemented correctly, it will not be very effective and Rapid7 says that it is not recommended as a security function. It is.

◆ The initial password of the device is not written anywhere
It seems that the initial password for the three smartwatches is “123456”, but that is not written anywhere.


by Austris Augusts

Due to the above three problems, if you know the phone number of the smartwatch, you can monitor the smartwatch in a relatively simple way, you can check the current location of the child wearing, voice Rapid7 points out that it becomes possible to talk to children using the chat function. It also states that although it is not possible to deal with SMS filtering issues without a firmware update, there is no way to contact the developer, so an update is unlikely.

Rapid7 isn't the only one reporting on the vulnerabilities of smart watches with GPS for children. Avast, a cyber security company, warns about the security risks of location tracking devices for children sold at Amazon.com and other locations.

Security company warns that information of over 600,000 GPS trackers is released online with the password `` 123456 ''-GIGAZINE


by mohamed hassan

in Software,   Hardware,   Security, Posted by logu_ii