Researcher Prints 'PWNED!' On Hundreds of GPS Watches' Maps Due To Unfixed API (zdnet.com) 49
An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps.
Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.
Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.
Waiting for the followup (Score:3)
The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history.
Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").
Re: (Score:3)
"Hey, you left your front door unlocked and even though it's a safe neighborhood it is my responsibility to teach you a security lesson by pooping on your coffee table.
--
Sincerely yours,
Home Security Researcher"
Keeping the metaphore (Score:2)
Except that, if you RTFA (yes, I know /. ):
In this case, they have been leaving their door unlocked and wide-open in a very unsafe neighborhood (we're speaking about the internet here. That's really far from a secure place), for MORE THAN A YEAR.
Be some insane luck, nothing horrible has hapenned yet. (Or didn't get reported to the authorities).
Meanwhile, the researcher has spent the whole year trying to work it out, metaphorically writing letters and putting post-it notes to anyone concerned.
He tried explai
Re: (Score:2)
Yes indeed. Powerful interests do not want devices to be seen as vulnerable, even from other manufacturerers. He has a defense if the German govt really tried a recall -- he could say he is assisting them.
Otherwise, he should be extremely careful about travel, especially where the US has influence. If anyone in the US has this Austrian device and got hacked, he could be liable for "unauthorized access" under US law and extradited.
Re: (Score:2)
Re: (Score:2)
Aaaaannd this is where the "white hat" crossed the line.
So you mean because the company did nothing at all for over a year?
... after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers.
Re: (Score:2)
Exactly this is what the defect laws on "hacking" clearly ask for.
Re: (Score:2)
"Researcher" is a loose title it seems, just claim it and it's yours. Food researcher, leisure researcher, porn researcher, etc.
Re: (Score:2)
So having RTFA and watching the video on his presentation, his initial concerns were reported to the vendor and a 90 day window to fix the vulnerabilities was given. The 90 day window lapsed and the story on the vulnerabilities were published in the media. As that applies to the initial vulnerabilities found, I do not know if that applies to the current data injection or if a new window was applied for this vulnerability, however, the presentation showed that there were 2900 and change devices active in 201
RTFA (Score:2)
Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").
He didn't do it for immediately demonstrating a flaw he'd just found, nor for the lulz.
He spent a whole year (flaw was found in december 2017) attempted to try to work out with both the manufacturer (who according to the article eventually patched one single flaw of the long list in march 2018, but basically left the whole rest of the watch as a giant gaping security flaw) and with the authority (whose reactio aon was: "we did issue a ban for the smartwatch for children, we've already done our job" - despit
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
Easy!
Google translate:
pawned -> verpfändet
Remove 1st vowel
pwnd -> vrpfändet
And I'm neither English nor German!
Re: (Score:2)
Re: (Score:2)
Connotations of illegality aren't out of place with "pwned". It doesn't mean that there was a fair and open transaction taking place such that now I own your ass.
Re: (Score:2)
Re: (Score:2)
blitzgekriegt ?
Re: (Score:3)
Re: (Score:2)
Hence someone belonging to the younger generations in Germany would just say "pwned", if it isn't use within the context of a sentence that allows for a different expression to be used. Even then they may still say "pwned" because it's
"Researcher" (Score:2, Insightful)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)