Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Databases Privacy Software Hardware Technology

Attackers Can Track Kids' Locations Via Connected Watches 33

secwatcher shares a report from Threatpost: A gamut of kids' GPS-tracking watches are exposing sensitive data involving 35,000 children -- including their location, in real time. Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research. "A year on, we decided to have a look at the Gator watch again to see how their security had improved," said Vangelis Stykas, in a Tuesday posting. "Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents' details etc. Not just Gator watches either -- the same back end covered multiple brands and tens of thousands of watches." "At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control," reports Threatpost. "An attacker with access to the watch's credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information."
This discussion has been archived. No new comments can be posted.

Attackers Can Track Kids' Locations Via Connected Watches

Comments Filter:
  • by Anonymous Coward

    you always know where your kid is. The bad news is, so does everyone else.

  • I'd guess that 90% of things connected to the Internet today shouldn't be. But, people are lazy. So, nothing will change.
    • by Anonymous Coward

      Who had the weird idea that kid locations should go into a database?

      If I made such a system, I'd make it so the kid location is sent directly to the parent's device (phone or pc). No intermediary. (Other than the network itself, but encryption prevents snooping there.) No cloud. No company server somewhere. So even if hackers overran my company, they couldn't get any locations. It'd be cheaper for my company too - not having to store the location of hundred thousand kids in realtime, and no worrying about

      • Who had the weird idea that kid locations should go into a database?

        If I made such a system, I'd make it so the kid location is sent directly to the parent's device (phone or pc). No intermediary. (Other than the network itself, but encryption prevents snooping there.) No cloud. No company server somewhere.

        Yeah, but then how would you sell that data to third parties?

      • And how do you plan to sell the data that you don't have access to?

  • Stranger attacks? (Score:5, Insightful)

    by dryeo ( 100693 ) on Wednesday January 30, 2019 @10:10PM (#58048926)

    How many actual stranger attacks on children are there? Seems like a lot because it sells news, so it is over reported. There was one around here about 30 years back, sad because the kid vanished at a baseball game, but the news still talks about it.
    Most child kidnappings seem to be by their divorced other parent and even most molestation is by relatives, friends and trusted figures like the priest, coach or scout leader.

    • While I agree 100%, the thing here is that the exposure to the threat is unnecessary. It is possible to implement this in a secure manner with very little effort. If this was only possible with a lot of expense or at the expense of functionality, I'd be right with you. But what we are dealing here is just lazy engineering, opening a security hole where none needs to exist.

    • by mjwx ( 966435 )

      How many actual stranger attacks on children are there? Seems like a lot because it sells news, so it is over reported. There was one around here about 30 years back, sad because the kid vanished at a baseball game, but the news still talks about it.
      Most child kidnappings seem to be by their divorced other parent and even most molestation is by relatives, friends and trusted figures like the priest, coach or scout leader.

      Whilst you're 100% correct that most child disappearances (well, kidnappings and disappearances in general) are done by family or close, trusted people, the reason why we still talk about it 30 years later is because we're genetically programmed to care about children, and not just our own. This genetic programming is often combined with the media's love of hyperbole to get eyeballs to blow stories completely out of proportion (erm... see Madeline McCann).

      However it also should be noted that the last 30

      • However it also should be noted that the last 30 (probably 50) years there's been a huge emphasis on teaching children about the dangers of strangers which has done a lot to cut down on abductions.

        Citation?

        Children kidnapped by strangers happens so infrequently that it's hardly a blip, and pretty much always has been. Runaways are ~1000x more numerous. And "missing children" as a result of miscommunication (Grandma picks up the kids from school because Dad asked her to, and Mom, not knowing this, panics

  • Easy to track someone when you're standing beside them.
    • Sure, but you could be seen by someone who thinks it's odd that an adult undresses a kid with his eyes and follows said kid around. People do tend to be sensitive to that kind of thing by now.

  • Even worse, your own government can track individual citizens with the same kind of devices. On top of that,all your interaction data is being sold to other people and companies, sometimes with complete profiles of you.

    That seems equally as bad,if not worse. Why not fix the root problem rather than 'think of the children' lameisms

    I don't want to be tracked or sold either. Child, adult, why should it matter?

  • I've been reading stories like this since at least 2012 with some VTech devices. When will the manufacturers be held accountable for the shit security in their devices?
  • It's not worse that attackers can do that than that the company can do that.

Over the shoulder supervision is more a need of the manager than the programming task.

Working...