When parents buy their children a smartwatch, they often select one that has location tracking capability. The watch keeps constant tabs on the child’s location and reports it back to the parents via an app. This common safety feature has turned into a security issue in hundreds of smartwatch brands using the Thinkrace platform; a newly-discovered cloud vulnerability allows third parties to access these watches without any particular hacking skills, and at least 47 million devices are thought to be compromised.

How the Thinkrace cloud vulnerability works

The Thinkrace smartwatches share a common cloud platform used to access each device remotely and view its current tracking information.

Security researchers with Pen Test Partners discovered that each device connected to the cloud platform can be accessed with nothing more than the device’s unique identification number. It appears that Thinkrace created their devices with sequential ID numbers, so simply increasing or decreasing a known good number by a single digit would allow one to gradually cycle through and access devices in bulk. The only form of device security is an extremely simple default password that would likely be cracked by brute force methods in seconds; otherwise this method does not require authorization.

Founder of Pen Test Partners Vangelis Stykas, who reported the findings to TechCrunch, thinks that the count of 47 million vulnerable devices is on the conservative side. The security researchers believe that as many as 150 million Thinkrace products may be susceptible to this cloud vulnerability.

Once an attacker has accessed a device by entering its account number into the cloud platform, they have access to all of its functions via a series of commands that are publicly documented. In addition to tracking the child’s current location, an attacker can send and receive voice recordings through the platform, reset the password, and in some cases activate cameras in certain models.

Not the first smartwatch location tracking issue

While this is one of the most serious vulnerabilities that has appeared in the smartwatch market, it is far from the first. The industry has been plagued with security issues since it began to boom several years ago, particularly in watches that are marketed with child-tracking ability as a primary feature.

As Pen Test Partners pointed out, in almost all cases it has been due to the use of weak security controls and protocols. Thinkrace not only manufactures their own smartwatches, but also sells a “white label” API that a number of other manufacturers make use of – for example, the ENOX Group and Avast. Any manufacturer using the Thinkrace API is just as susceptible to this cloud vulnerability. In total, there are about 360 watches and tracking devices that make use of Thinkrace that are subject to this common point of failure.

Pen Test Partners says they have been working on these issues since 2015, but have kept them out of the public eye as Thinkrace and other manufacturers had promised to take care of the issues. Some efforts were apparently made by white label partners to secure their own endpoints, but Thinkrace itself has been reticent about addressing its cloud vulnerability leading to the Pen Test Partners public statement.

One of the biggest problems with this cloud vulnerability is that the white label partners often do not disclose that they are using Thinkrace for their customer-facing location tracking portal. Some partners redirect users to a generic page provided by Thinkrace that has a unique design, but with others you might not be aware of the connection unless you traced all the way back to the API itself.

Government regulation required?

Smartwatches can be subject to stricter medical regulations when used for fitness tracking purposes, but there is no special regulation governing their use for child location tracking or any special consideration given to location data.

Tim Erlin, VP, product management and strategy at Tripwire, provided the following comments:

“It’s very hard for consumers to make an informed choice about a product based on how it protects sensitive data when there’s essentially zero transparency. Consumers simply can’t tell if a device manufacturer has taken privacy seriously or not.

“These situations are where government regulation becomes important. Consumers have every right to expect the privacy of their data, and their children’s data, to be minimally protected.”

Enhanced regulation of location tracking smartwatch manufacturers would dovetail with the expansion of general data privacy laws, whether at the state level (as was recently done in California) or by way of a comprehensive federal bill. This continues to be a contentious issue, with some federal bills being considered but none anywhere near being written into law at this point.

Laws similar to the California Consumer Privacy Act would require companies to secure their devices properly, and make them liable (by way of heavy fines and possible civil lawsuits) if a data breach occurs. Until then, there is little impetus for location tracking companies like Thinkrace to put an end to these security flaws so long as their devices are still selling.

Protecting yourself from rogue smartwatches

If you are presently using a smartwatch for location tracking, at minimum find out if it is a Thinkrace model or if it uses the company’s API. There isn’t really a good fix available; use of the device should be discontinued, but at minimum one should ensure that a strong and unique password is in place. Pen Test Partners suggests ceasing use of any and all child tracking smartwatches (even if they are not subject to this particular cloud vulnerability), as they characterize those without known vulnerabilities as “rare.”

#Cloud vulnerability on Thinkrace smartwatch allows #hacker to track child's location, send and receive voice recordings, and activate camera. #respectdata Click to Tweet

Criminal elements may be interested in exploiting this cloud vulnerability even if they have no interest in children’s locations or stealing personal data. Exploitable smart devices such as these are added to “botnets” that are used to perform distributed denial of service (DDoS) attacks that can shut down web servers, and often automated tools can gain access by scanning millions of devices and breaking through weak passwords. Location tracking devices like smartwatches that have a SIM chip are of particular interest, as they can be used for the purpose of voting in popularity contests by way of text message even if they do not have a phone number.