Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Software Technology

Researcher Prints 'PWNED!' On Hundreds of GPS Watches' Maps Due To Unfixed API (zdnet.com) 49

An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps.

Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.

This discussion has been archived. No new comments can be posted.

Researcher Prints 'PWNED!' On Hundreds of GPS Watches' Maps Due To Unfixed API

Comments Filter:
  • by Zak3056 ( 69287 ) on Wednesday April 03, 2019 @08:22AM (#58377494) Journal

    The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history.

    Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

    • by redelm ( 54142 )

      Yes indeed. Powerful interests do not want devices to be seen as vulnerable, even from other manufacturerers. He has a defense if the German govt really tried a recall -- he could say he is assisting them.

      Otherwise, he should be extremely careful about travel, especially where the US has influence. If anyone in the US has this Austrian device and got hacked, he could be liable for "unauthorized access" under US law and extradited.

      • by ffkom ( 3519199 )
        The German government did not attempt a "recall", but told its population in no uncertain terms that owning such a camouflaged eavesdropping device is a crime according to German law.
    • Aaaaannd this is where the "white hat" crossed the line.

      So you mean because the company did nothing at all for over a year?

      ... after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers.

    • by ffkom ( 3519199 )
      Indeed it would have been a much more clever idea for him to sell his knowledge anonymously to whatever crook pays best for the exploit.

      Exactly this is what the defect laws on "hacking" clearly ask for.
    • "Researcher" is a loose title it seems, just claim it and it's yours. Food researcher, leisure researcher, porn researcher, etc.

    • by PKFC ( 580410 )

      So having RTFA and watching the video on his presentation, his initial concerns were reported to the vendor and a 90 day window to fix the vulnerabilities was given. The 90 day window lapsed and the story on the vulnerabilities were published in the media. As that applies to the initial vulnerabilities found, I do not know if that applies to the current data injection or if a new window was applied for this vulnerability, however, the presentation showed that there were 2900 and change devices active in 201

    • by DrYak ( 748999 )

      Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

      He didn't do it for immediately demonstrating a flaw he'd just found, nor for the lulz.

      He spent a whole year (flaw was found in december 2017) attempted to try to work out with both the manufacturer (who according to the article eventually patched one single flaw of the long list in march 2018, but basically left the whole rest of the watch as a giant gaping security flaw) and with the authority (whose reactio aon was: "we did issue a ban for the smartwatch for children, we've already done our job" - despit

  • What's with this new trend of calling every script kiddie under the sun a "researcher?"
    • by Anonymous Coward
      Probably because this guy is part of Daimler's security team and presents research at security conferences. If that's a script kiddie, than I don't know what security researcher means to you.
    • If they knew what they were doing, they wouldn't call it research.

Avoid strange women and temporary variables.

Working...