Attackers Can Track Kids' Locations Via Connected Watches 33
secwatcher shares a report from Threatpost: A gamut of kids' GPS-tracking watches are exposing sensitive data involving 35,000 children -- including their location, in real time. Researchers from Pen Test Partners specifically took a look at the Gator portfolio of watches from TechSixtyFour. The Gator line had been in the spotlight in 2017 for having a raft of vulnerabilities, called out by the Norwegian Consumers Council in its WatchOut research. "A year on, we decided to have a look at the Gator watch again to see how their security had improved," said Vangelis Stykas, in a Tuesday posting. "Guess what: a train wreck. Anyone could access the entire database, including real-time child location, name, parents' details etc. Not just Gator watches either -- the same back end covered multiple brands and tens of thousands of watches." "At issue was an easy-to-exploit, severe privilege-escalation vulnerability: The system failed to validate that the user had the appropriate permission to take admin control," reports Threatpost. "An attacker with access to the watch's credentials simply needed to change the user level parameter in the backend to an admin designation, which would provide access to all account information and all watch information."
Re: (Score:2)
Re: (Score:3)
Or someone pissed enough of the whole IoT makers flaunting their disregard for the privacy of their users who doesn't give a shit about kids who makes a webpage that tracks every kid and puts their whereabouts and how to pretend you're daddy when luring them somewhere...
Hold my beer.
The good news is (Score:1)
you always know where your kid is. The bad news is, so does everyone else.
Re: (Score:1)
Probably the same selfish animal instincts that got them the kid in the first place.
Re: (Score:2)
We've also sent the then 11 y/o across town on the commuter rail system and I use it to ensure he gets off at the right stop to be met by his mother.
It's a slow process, it takes about a
No shit, Sherlock (Score:2)
Re: (Score:1)
Who had the weird idea that kid locations should go into a database?
If I made such a system, I'd make it so the kid location is sent directly to the parent's device (phone or pc). No intermediary. (Other than the network itself, but encryption prevents snooping there.) No cloud. No company server somewhere. So even if hackers overran my company, they couldn't get any locations. It'd be cheaper for my company too - not having to store the location of hundred thousand kids in realtime, and no worrying about
Re: (Score:2)
Who had the weird idea that kid locations should go into a database?
If I made such a system, I'd make it so the kid location is sent directly to the parent's device (phone or pc). No intermediary. (Other than the network itself, but encryption prevents snooping there.) No cloud. No company server somewhere.
Yeah, but then how would you sell that data to third parties?
Re: (Score:2)
And how do you plan to sell the data that you don't have access to?
Stranger attacks? (Score:5, Insightful)
How many actual stranger attacks on children are there? Seems like a lot because it sells news, so it is over reported. There was one around here about 30 years back, sad because the kid vanished at a baseball game, but the news still talks about it.
Most child kidnappings seem to be by their divorced other parent and even most molestation is by relatives, friends and trusted figures like the priest, coach or scout leader.
Re: (Score:3)
While I agree 100%, the thing here is that the exposure to the threat is unnecessary. It is possible to implement this in a secure manner with very little effort. If this was only possible with a lot of expense or at the expense of functionality, I'd be right with you. But what we are dealing here is just lazy engineering, opening a security hole where none needs to exist.
Re: (Score:2)
How many actual stranger attacks on children are there? Seems like a lot because it sells news, so it is over reported. There was one around here about 30 years back, sad because the kid vanished at a baseball game, but the news still talks about it.
Most child kidnappings seem to be by their divorced other parent and even most molestation is by relatives, friends and trusted figures like the priest, coach or scout leader.
Whilst you're 100% correct that most child disappearances (well, kidnappings and disappearances in general) are done by family or close, trusted people, the reason why we still talk about it 30 years later is because we're genetically programmed to care about children, and not just our own. This genetic programming is often combined with the media's love of hyperbole to get eyeballs to blow stories completely out of proportion (erm... see Madeline McCann).
However it also should be noted that the last 30
Re: (Score:2)
Citation?
Children kidnapped by strangers happens so infrequently that it's hardly a blip, and pretty much always has been. Runaways are ~1000x more numerous. And "missing children" as a result of miscommunication (Grandma picks up the kids from school because Dad asked her to, and Mom, not knowing this, panics
Or an attacker could use their eyes (Score:2)
Re: (Score:2)
Sure, but you could be seen by someone who thinks it's odd that an adult undresses a kid with his eyes and follows said kid around. People do tend to be sensitive to that kind of thing by now.
Change the entire system, this has gone too far. (Score:1)
Even worse, your own government can track individual citizens with the same kind of devices. On top of that,all your interaction data is being sold to other people and companies, sometimes with complete profiles of you.
That seems equally as bad,if not worse. Why not fix the root problem rather than 'think of the children' lameisms
I don't want to be tracked or sold either. Child, adult, why should it matter?
6+ years of this shit... Will anything happen? (Score:2)
Attackers indisutinguishable from company (Score:1)
It's not worse that attackers can do that than that the company can do that.