TicTocTrack Smartwatch Flaws Can Be Abused To Track Kids (threatpost.com) 42
secwatcher shares a report from Threatpost: A popular smartwatch that allows parents to track their children's whereabouts, TicTocTrack, has been discovered to be riddled with security issues that could allow hackers to track and call children. Researchers at Pen Test Partners revealed vulnerabilities in the watch (sold in Australia) on Monday, which could enable hackers to track children's location, spoof the child's location or view personal data on the victims' accounts. The parent company of the TicTocTrack watch, iStaySafe Pty Ltd., has temporarily restricted access to the watch's service and app while it investigates further. Researchers found that the service's back end does not make any authorization attempt on any request -- besides the user having a valid username and password combination. That means that an attacker who is logged into the service could remotely compromise the app and track other accounts that are based in Australia.
The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features. The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data -- including the children's location, parent's full names, phone numbers and other personal identifiable information. Researchers with Pen Test Partners collaborated with security researcher Troy Hunt to test the attack. Hunt uploaded a video showing how the smartwatch vulnerability could be exploited to call his daughter -- and how her smartwatch would answer automatically without any interaction needed from her end.
The smartwatch, available in Australia for $149 (USD), is designed for children and uses GPS to track the movement of the wearer every six minutes, and offers voice calling and SMS features. The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data -- including the children's location, parent's full names, phone numbers and other personal identifiable information. Researchers with Pen Test Partners collaborated with security researcher Troy Hunt to test the attack. Hunt uploaded a video showing how the smartwatch vulnerability could be exploited to call his daughter -- and how her smartwatch would answer automatically without any interaction needed from her end.
Didn't work for me (Score:3)
Re: Not abused. It was the point. (Score:1)
I'm pretty sure having random people call and track your child wasn't a selling point
Re: (Score:2)
If those people stopped voting for candidates who push the policies that result in the problems you describe, they wouldn't have those problems and we wouldn't make fun of them for being stupid.
Re: (Score:2)
Precision English is hard (Score:2)
If they treat it as a consumer product, there should be a minimum set of security guidelines and steps a company is required to take. None of this "license agreement" crap.
However, writing down the guidelines and steps in a clear-cut way into law is difficult. If the text is too specific, then companies find a way around them, and if they are too general, they are messy and expensive to enforce, for both sides. This includes abuse of law against the company. A fuzzy cannon shoots out of both ends.
Re: (Score:2)
I'd argue in favor of a somewhat vague "general principles" law that also includes specific cases of behavior that would *definitely* be a violation of those principles to make it easy to prosecute those who violate any of the examples thought of while writing the law, without letting criminals escape justice by adhering to the letter of the law.
I'd ague that - except that was the guiding principle of the U.S. Bill of Rights, and good luck bringing someone to justice for violating a non-enumerated right.
Re: (Score:1)
"license agreement" crap will not fly in Australia if is a consumer. Consumer law will say its not fit for purpose, and refunds will flow IF you cite the relevant legal clauses. Now to get that companies ABN and pull the directors up.
Google and RoboCallers (Score:1)
1. Google are already tracking your children.
2. Real and robocallers can already call your children, and pretty much anyone with a phone.
Is there a secure one? (Score:3)
This is hardly the first report of kids' smartwatches being insecure tracking devices. We've heard that in 2017 [which.co.uk], in 2018 again [bbc.com], quite bluntly, if you haven't heard it by now, you probably don't give a rat's ass about your kids' privacy.
Then again, buying such a watch is already a pretty good indicator that you don't give a fuck about your kids' privacy, so...
Re: (Score:2)
Re: (Score:2)
What people forget is that kids have WAY more time to figure out how to cheat and manipulate those things than they have to set them up. Not to mention that the average 8 year old knows more about mobile devices than his parents.
And through the ages kids have spent half their wits and smarts (and that of their friends) to escape parental supervision. The other half was spent cheating on school tests.
Re: (Score:2)
I understand the desire to know where your kid is all the time, but independence is a big part of growing up.