Researcher Prints 'PWNED!' On Hundreds of GPS Watches' Maps Due To Unfixed API

An anonymous reader quotes a report from ZDNet: A German security researcher has printed the word "PWNED!" on the tracking maps of hundreds of GPS watches after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers. Speaking at the Troopers 2019 security conference that was held in Heidelberg, Germany, at the end of March, security researcher Christopher Bleckmann-Dreher presented a series of vulnerabilities impacting over 20 models of GPS watches manufactured by Austrian company Vidimensio. The watch models all share a common backend API, which works as an intermediary and storage point between the GPS watches and associated mobile apps.

Back in December 2017, Dreher discovered flaws in the mechanism through which the GPS watches communicate with this backend API server. [...] Dreher's new warning comes as the number vulnerable Vidimensio GPS watches grew ten times since December 2017, despite the warning from German authorities to destroy and stop using children smartwatches with intrusive tracking and eavesdropping capabilities. According to the researcher, the number has grown from around 700 to 7,000, of which 3,000 have been active in the past month. To raise awareness to these still-unpatched devices, Dreher told ZDNet that he has now turned to an unconventional strategy. The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history. The researcher designed these fake GPS coordinates to look like the word "PWNED!" when displayed on the location history section map --displayed inside the mobile apps and the watches' web dashboard.

Waiting for the followup

[Zak3056]

The researcher has been using one of the security flaws he discovered to insert fake GPS coordinates in people's location history.

Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

Re:

[Darinbob]

"Hey, you left your front door unlocked and even though it's a safe neighborhood it is my responsibility to teach you a security lesson by pooping on your coffee table.
--
Sincerely yours,
Home Security Researcher"

Keeping the metaphore

[DrYak]

Except that, if you RTFA (yes, I know /. ):

In this case, they have been leaving their door unlocked and wide-open in a very unsafe neighborhood (we're speaking about the internet here. That's really far from a secure place), for MORE THAN A YEAR.

Be some insane luck, nothing horrible has hapenned yet. (Or didn't get reported to the authorities).

Meanwhile, the researcher has spent the whole year trying to work it out, metaphorically writing letters and putting post-it notes to anyone concerned.

He tried explai

Re:

[redelm]

Yes indeed. Powerful interests do not want devices to be seen as vulnerable, even from other manufacturerers. He has a defense if the German govt really tried a recall -- he could say he is assisting them.

Otherwise, he should be extremely careful about travel, especially where the US has influence. If anyone in the US has this Austrian device and got hacked, he could be liable for "unauthorized access" under US law and extradited.

Re:

[ffkom]

The German government did not attempt a "recall", but told its population in no uncertain terms that owning such a camouflaged eavesdropping device is a crime according to German law.

Re:

[parkinglot777]

Aaaaannd this is where the "white hat" crossed the line.

So you mean because the company did nothing at all for over a year?

... after the watch vendor ignored vulnerability reports for more than a year, leaving thousands of GPS-tracking watches --some of which are used by children and the elderly-- open to attackers.

Re:

[ffkom]

Indeed it would have been a much more clever idea for him to sell his knowledge anonymously to whatever crook pays best for the exploit.

Exactly this is what the defect laws on "hacking" clearly ask for.

Re:

[Darinbob]

"Researcher" is a loose title it seems, just claim it and it's yours. Food researcher, leisure researcher, porn researcher, etc.

Re:

[PKFC]

So having RTFA and watching the video on his presentation, his initial concerns were reported to the vendor and a 90 day window to fix the vulnerabilities was given. The 90 day window lapsed and the story on the vulnerabilities were published in the media. As that applies to the initial vulnerabilities found, I do not know if that applies to the current data injection or if a new window was applied for this vulnerability, however, the presentation showed that there were 2900 and change devices active in 201

RTFA

[DrYak]

Aaaaannd this is where the "white hat" crossed the line. I'm looking forward to the story a few weeks/months from now where we get to be outraged that an "innocent white hat hacker" was arrested for "exposing vulnerabilities" (and not for "fucking with data that wasn't his").

He didn't do it for immediately demonstrating a flaw he'd just found, nor for the lulz.

He spent a whole year (flaw was found in december 2017) attempted to try to work out with both the manufacturer (who according to the article eventually patched one single flaw of the long list in march 2018, but basically left the whole rest of the watch as a giant gaping security flaw) and with the authority (whose reactio aon was: "we did issue a ban for the smartwatch for children, we've already done our job" - despit

Re:

[jfdavis668]

I wonder what the German word for "pwned" is.

Re:

[Sique]

I do too, and I am German.

Re:

[Exitar]

Easy!

Google translate:
pawned -> verpfändet
Remove 1st vowel
pwnd -> vrpfändet

And I'm neither English nor German!

Re:

[Sique]

I would rather use "besetzt" (occupied). But "besetzt" has a different connotation than owned. Besetzt would always be preliminary, and not to stay, and it has also a connotation of illegality. "Besessen" has a double meaning, as it either means "has been owned" (and is no longer owned), or it means "bewitched".

Re:

[Darinbob]

Connotations of illegality aren't out of place with "pwned". It doesn't mean that there was a fair and open transaction taking place such that now I own your ass.

Re:

[Sique]

But that's only for pwned, not for owned. An owned car is by no means illegal property. A besetztes house definitely is.

Re:

[isj]

blitzgekriegt ?

Re:

[puddingebola]

The German word for pwned is powenschreitaggewurstbelungblitzenzeitung.

Re:

[fazig]

Although some contextual translation into "besiegt" (defeated/beaten) or "erwischt" (busted/caught) or "vernichtet" (destroyed/annihilated) are possible here and there, there is no thought concept of "pwned" in the German language that can be associated with a specific word.
Hence someone belonging to the younger generations in Germany would just say "pwned", if it isn't use within the context of a sentence that allows for a different expression to be used. Even then they may still say "pwned" because it's

"Researcher"

[NicknameUnavailable]

What's with this new trend of calling every script kiddie under the sun a "researcher?"

Re:

[Anonymous Coward]

Probably because this guy is part of Daimler's security team and presents research at security conferences. If that's a script kiddie, than I don't know what security researcher means to you.

Re:

[NicknameUnavailable]

Found a script kiddie.

Re:

[TeknoHog]

If they knew what they were doing, they wouldn't call it research.