Article 4861F 18 months on, kids' smart watches are STILL a privacy & security dumpster-fire, and a gift to stalkers everywhere

18 months on, kids' smart watches are STILL a privacy & security dumpster-fire, and a gift to stalkers everywhere

by
Cory Doctorow
from on (#4861F)
Story Image

In late 2017, the Norwegian Consumer Council published its audit of kids' smart-watches, reporting that the leading brands allowed strangers to follow your kids around and listen in on their conversations; a year later, Pen Test Partners followed up to see if anything had changed (it hadn't).

Now, a year and a half later, Pen Test Partners have done another security audit of kids' smart watches and you'll never guess what they found! Kids' smart-watches are still a dumpster-fire: anyone can access the entire database of kids' data, including "real time child location, name, parents details etc," and since most leading brands use the same back-end from Gator, virtually every kid's smart-watch is vulnerable.

Gator patched the vulnerability Pen Test Partners discovered, but I will bet you an organ of your choosing that there are far more waiting to be discovered.

The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control!

This means that an attacker could get full access to all account information and all watch information. They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users' emails/passwords to lock them out of their watch.

In fairness, upon our reporting of the vulnerability to them, Gator got it fixed in 48 hours.

GPS watch issues" AGAIN [Pen Test Partners]

18 months on, kids' smart watches are STILL a privacy & security dumpster-fire, and a gift to stalkers everywhere

In late 2107, the Norwegian Consumer Council published its audit of kids' smart-watches, reporting that the leading brands allowed strangers to follow your kids around and listen in on their conversations; a year later, Pen Test Partners followed up to see if anything had changed (it hadn't).

Now, a year and a half later, Pen Test Partners have done another security audit of kids' smart watches and you'll never guess what they found! Kids' smart-watches are still a dumpster-fire: anyone can access the entire database of kids' data, including "real time child location, name, parents details etc," and since most leading brands use the same back-end from Gator, virtually every kid's smart-watch is vulnerable.

Gator patched the vulnerability Pen Test Partners discovered, but I will bet you an organ of your choosing that there are far more waiting to be discovered.

The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control!

This means that an attacker could get full access to all account information and all watch information. They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users' emails/passwords to lock them out of their watch.

In fairness, upon our reporting of the vulnerability to them, Gator got it fixed in 48 hours.

GPS watch issues" AGAIN [Pen Test Partners]

(via /.)(via /.)smart watches,internet of shit,iot,kids,parenting,infosec,security,privacy,gator watches from techsixtyfour techsixtyfour

External Content
Source RSS or Atom Feed
Feed Location https://boingboing.net/feed
Feed Title
Feed Link https://boingboing.net/
Reply 0 comments