Connected watches pointed to for major security breaches

Connected watches pointed to for major security breaches Cybersecurity

Untouchable connected watches? Not really, as a recently published study proves. It highlights a series of critical security problems in connected watch trackers including services intended to assist the elderly and vulnerable.

A study published this Thursday by the company Pen Test Partners has indeed revealed security problems encountered in the SETracker service, software intended for children and the elderly – in particular those suffering from senile dementia.

This GPS tracking application can be used in tandem with a smart watch by caregivers and patients to place a call when needed. The SETracker app from Chinese developer 3G Electronics, required to use the watches, is available on iOS and Android and has been downloaded more than 10 million times. However, due to security flaws in the product, those who deal with it or those close to it are not the only ones who can follow the movements or activities of the person wearing them.

API pointed out

Vendor software, of which there are now three varieties of mobile apps, is often used in inexpensive smart watches from various brands. SETracker is also found in headsets and in the automotive software industry.

According to Pen Test Partners, the first big security issue is in an unrestricted server-to-server API. The server could be used to hijack the SETracker service in a number of ways, including changing device passwords, making calls, sending text messages, monitoring, and accessing cameras built into the devices.

If the back system of a monitor is based on SETracker, it was possible to send false messages including “TAKEPILLS” commands, which are configured to remind carriers to take their medication. “A person with dementia is unlikely to remember that they used their medication before,” the researchers noted. “An overdose could easily result,” they lament.

Source code also affected

Researchers also came across the source code for the software, which was accidentally made available to the public via a compiled node file hosted online as an unprotected backup. Server-side code, MySQL passwords, email, texting credentials, and a hard-coded password in the source code – 123456 – were available for viewing. A database containing user images was also likely to be abused.

“The source code indicated that this bucket was the place where ALL the photos taken by the cameras were sent. We haven’t confirmed that, ”says Pen Test Partners. “Given that the use case of these devices is mainly child trackers, it is extremely likely that these images contain images of children,” notes the cybersecurity company.

Pen Test Partners revealed its findings at 3G Electronics on January 22. The Chinese supplier did not respond until February 12. The triage then followed with the disclosure of the server API vulnerabilities on February 17, which were fixed the following day. On May 20, researchers reported the node file problem to the seller, and on May 29, 3G Electronics confirmed that the file had been deleted and that all passwords had been changed.



Rate article