Governance & Risk Management , Incident & Breach Response , Security Operations

Australian Child-Tracking Smartwatch Vulnerable to Hackers

Report: Hacker Could Spoof Child's Location, View Personal Information

An Australian version of the Gator smartwatch, designed for tracking children and the elderly, contains a number of worrying vulnerabilities, researchers say. (Photo: Troy Hunt)

An Australian company that markets a smartwatch that lets parents monitor their children shut down its service on Monday after researchers revealed hackers could track a child's location, spoof the location, add themselves as a "parent" and view personally identifiable information associated with the account.

See Also: Top 5 Log Sources You Should Be Ingesting but Probably Aren't

The affected service comes from Brisbane-based iStaySafe Pty. Ltd., which launched its GPS-enabled TicTocTrack smartwatch five years ago.

Pen Test Partners, a U.K. penetration testing and consulting company, found the flaws and has described them in a blog post.

Through a mobile app, parents can see their child's location every six minutes, speak to their child and get alerts if a child leaves a geo-fenced area. The watch, which is made by China-based Gator Group, costs $200 in Australia, plus a subscription for an active SIM card. It is also sold as a device to monitor the elderly.

The vulnerabilities would also let a hacker make a phone call to the watch. The TicTocTrack allows parents to configure the watch so that it answers a call from designated numbers. That functionality could be abused to simply listen to a child or begin speaking to the child.

"The security is absolutely wretched," says Troy Hunt, a security expert who purchased a pink TicTocTrack watch for his six-year-old daughter to let Pen Test Experts test its security. Hunt wrote an in-depth post describing his experiences with the watch.

In a statement Monday, iStaySafe Pty. Ltd. appeared to express doubt about Pen Test Partners' findings, writing that it had not yet received full details of the vulnerabilities. But it said it would be "restricting user access" to the application until it confirmed and fixed the issues.

"To this day, there never has been a security breach that has lead to our customers' personal data being used for malicious purposes," says Karen Cantwell, founder of iStaySafe Pty. Ltd.

Hunt says Cantwell's conclusion has a flaw in logic.

"It's not uncommon to see a response like this following a security incident, but what it should read is 'we don't know if there's ever been a security breach'," he writes.

The company began notifying customers by email and text messages on Monday afternoon. It was unclear if the company planned to notify the Office of the Australian Information Commissioner, which can impose fines on organizations for failing to report a qualifying breach under law.

If the vulnerabilities are confirmed, TicTocTrack says it will offer refunds for subscriptions to all customers "during the affected period."

In October 2018, Pen Test Partners published research outlining some of the same kinds of vulnerabilities in another Gator watch. As a result of the findings, Gator fixed problems with its own web application. This time around, Pen Test Partners began looking at TicTockTrack after seeing a story earlier this month about the watch and Cantwell on the national broadcaster, ABC.

One Login, Full Access

The technical problem is that the TicTocTrack software allows anyone who is logged into the service to access other accounts in Australia. Web applications are supposed to ensure that whomever is logged in only has access to the resources for their own authorized account.

But due to a flaw in TicTocTrack's API, other Australian accounts can be accessed by incrementing an integer known as the "FamilyIdentifer." That integer appears in the request, and simply changing the number allows access to other accounts.

"The backend is an odata REST interface with a basic authentication of username:password that are provided during login," writes Pen Test Partners. "Backend does not make any authorization attempt on any request other than the user having a valid username/password combination."

"The security is absolutely wretched."

—Troy Hunt

The type of vulnerability is known as an insecure direct object reference. It's a quite grievous mistake in web application development and would have been caught had the app gone through a security audit, Hunt says.

The mobile app was developed for TicTocTrack by a Sri Lanka-based firm called Nibaya. Officials with Nibaya couldn't immediately be reached for comment on Monday.

On the bright side, Hunt says the issue is easy to fix. But a broader question is whether attackers have actually abused the issue and accessed accounts. Forensically determining that would be difficult, he says.

"This vulnerability relied on an authenticated user with a legitimate account modifying a number in the request, and the likelihood of that being logged in a fashion sufficient enough to establish it ever happened is extremely low," Hunt writes.

"I am Vangelis ..."

To assist Pen Test Partners, Hunt ordered one of the watches. He was working late one night when the pink watch lit up. He suddenly heard Vangelis Stykas, a security consultant with Pen Test Partners, speaking with a heavy Greek accent.

Hunt has published a video with his daughter, Elle, that reproduces what happened to him. Elle sits in her room reading a book when her pink watch chimes. Then, a voice comes through the watch, and Elle says "Hi, who are you?"

"I am Vangelis, from the other part of the world," Stykas says.

Hunt gave permission for Stykas to do the exercise. Stykas was able to call the device after adding himself as a parent, and then the device automatically answered, allowing him to speak to Elle. The pink watch showed the word "Dad" when Stykas called.

Troy Hunt's daughter, Elle, responds to an unprompted call from Vangelis Stykas, a security consultant with U.K.-based Pen Test Partners.

IoT Watches: Security Concerns

Theoretically, the problems with the TicToc Track should have never happened. And that's not just because the developers should have had greater knowledge of insecure direct object references.

In October 2017, the Norwegian Consumer Council published a detailed paper in partnership with the security firm Mnemonic into the privacy issues and security aspects of four kinds of smartwatches, including the Gator.

The NCC's report on smartwatches.

The NCC found geofencing capabilities, which allow parents to get an alert if a child wanders out of a pre-defined area - and an SOS function a child could push - were either unreliable or didn't work.

"Our findings are alarming," the council writes. "We discovered significant security flaws, unreliable safety features and a lack of consumer protection."

One of the devices examined by NCC was the Gator 2 model sold in Norway at the time. It found it was possible to covertly take over a registered account due to "a combination of critical design flaws."

"Due to the ease of execution, it is a plausible assumption that this attack could have already been discovered by another party and be in active use," according to the NCC technical report. "It would also be possible to automate and sell to non-technical users."

Investigators also found it was not possible to delete the Gator 2's account history, which could be viewed if an attacker re-paired the device with their own accounts.

A month later, in November 2017, Germany banned all smartwatches that had been marketed and developed for children. Germany's regulator, the Federal Network Agency, concluded the ability to turn on the device remotely without notifiying its users - a common feature - constituted an illegal monitoring function, reports Deutsche Welle.

In early 2017, Germany advised parents to destroy a toy called "My Friend Cayla," a doll that the country concluded could spy on children and contained illegal radio transmission equipment.