How I found vulnerabilities that could jeopardise child safety.

How it started

A friend recently showed me a tracker watch that he’d purchased for his young son for less than £10. It offered useful functionality such as two-way calling using a SIM and cellular connection. The accompanying app allowed him to track the location of his son. He was interested in the security of the device, so I had a look. It was bad… really bad.

It was a Misafes ‘Kids Watcher’, which we found on Amazon, eBay and various other online retailers:

TL;DR

Using IDOR attacks, I could:

retrieve real time GPS coordinates of the kids watches

call the child on their watch

create a covert one-way audio call, spying on the child

send audio messages to the child on the watch, bypassing the approved caller list

retrieve a photo of the child, plus their name, date of birth, gender, weight & height

TLS… what’s that?

I proxied the iOS app through Burp and could see that the traffic was not encrypted. Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children. Profile pictures, names, gender, date of birth, height, and weight all transmitted across the internet in cleartext.

The vulnerabilities

With a couple of watches paired to different testing phones, I had a play with various authorisation and Insecure Direct Object Reference, IDOR, attacks.

The only check the API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, shown ibelow, allows an attacker to return the watch location and device_id associated with that family.

The watch updates the GPS coordinates to the API every five minutes, so it’s nearly real-time location data. With that information, it would be easy to iterate through the family_ids and recover the location and device_id’s of all children. The ID’s appeared to be sequential, and we estimate there are around 12,000. Hundreds were registered whilst I was doing this research.

I decided to write a proof-of-concept application in C#, that allowed our watches to be tracked in real time. We didn’t access data for any other watches for obvious legal reasons, but it would be trivial to create a real time map of children like this if one was so motivated:

The API also kept track of previous locations, so it would be possible to click on a marker and show the routes that child took on a daily basis and it would then be possible to anticipate where they were going to be.

The device_id parameter in the get_watch_info action is also vulnerable to IDOR. A request to this returns the child’s phone number, encryption keys, and watch IMEI number:

Finally, it was possible to recover the phone number of the parents by spoofing the family_id in the get_group_list action:

Calling kids through the watches

The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used crazycall.net to spoof the Caller ID to a test watch.

Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch. As shown below, the child would think that it was their Dad that was calling. Would a child do what they were asked if a call came in like this? A VoIP-based PBX could also be used and integrated into the rogue Kid Tracker application. Point and click and you could call any child you wanted.

This is not Daddy calling!

Audio snooping on kids

The app also allowed the watch to be turned into a remote listening device; the child doesn’t have to interact with the watch at all. Putting aside the obvious moral and child privacy issues, is it secure? Of course not!

It was possible to pass a valid device_id to the activate_monitor_mode in the API and that would cause the watch to automatically answer any call that was on the whitelist. As before, spoofing the Caller ID would allow anyone to remotely listen in on a child. If the watch was left elsewhere in a household, it becomes a remote listening device for anyone on the internet.

Activating Monitor Mode:

Monitor mode:

The call was automatically answered, the watch briefly displayed a “Busy” message, then the screen went blank. The watch did not ring, so no one would know who was listening in or from where.

Tracking millions of kids?

My colleague Vangelis looked at the APIs for numerous smart watches and other GPS tracking devices as part of his ‘trackmageddon’ project.

We’ve compared that data and APIs with the findings from the Misafes watch: based on mobile app download stats, published sales stats and new device IDs granted by the APIs, we believe that in excess of a million smart kids tracking watches with similar vulnerabilities are being used, possibly in excess of 3 million globally. These are sold under numerous brands, but all appear to use remarkably similar APIs, suggesting a common original device manufacturer or ODM.

Disclosure

We tried multiple ways to contact Misafes, but got nothing back. The BBC also made extensive enquiries on our behalf but also drew a blank. That echoes the experience of SEC Consult who found unrelated issues in a Misafes camera.

We understand the eBay has just pulled the product and it also appears that its no longer available on Amazon.

Conclusion

My friend paid £9 for the watch, and I paid around £35 each for an extra two. When margins are that thin, it becomes less likely that manufacturers spend money on security testing. This could compromise the security of a child.

Thanks to Scott Alexander (@gooshy) for sparking my interest in the watch.

We felt bad that we’d taken away his son’s watch, so we replaced it with one that’s had a bit more time spent on security. We hope you like your new Apple watch!

Shout out

The Norwegian Consumers Council did some excellent work on similar watches in 2017 as part of their #watchout campaign. However, their findings first required physical access to the watch to obtain the IMEI before it could be tracked.

These new attack vectors can not only be performed remotely (including capturing the IMEI remotely), but allow an attacker to build up a global picture of the location of all the children. Combined with caller ID spoofing, this attack becomes really nasty.