TechCrunch has reported on a vulnerability in GPS-enabled smartwatches for kids that could allow anyone to track them.
In an exclusive release to TechCrunch, security firm Pen Test Partners detailed their findings. The researchers found a vulnerability in the cloud platform developed by a Chinese firm called Thinkrace.
Not only does Thinkrace manufacture and sell its own line of child-tracking smartwatches, but it is also a white-label manufacturer. In other words, it manufactures devices that are relabeled and sold by other companies under different names and brands. All told, Thinkrace makes some 360 different devices, totaling at least 47 million units.
“Often the brand owner doesn’t even realize the devices they are selling are on a Thinkrace platform,” Ken Munro, founder of Pen Test Partners, told TechCrunch.
Because all Thinkrace devices use their cloud platform, all of them—regardless of what companies they’re branded under—are vulnerable.
According to TechCrunch, “each tracking device sold interacts with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller. The researchers traced the commands all the way back to Thinkrace’s cloud platform, which the researchers described as a common point of failure.
“The researchers said that most of the commands that control the devices do not require authorization and the commands are well documented, allowing anyone with basic knowledge to gain access and track a device. And because there is no randomization of account numbers, the researchers found they could access devices in bulk simply by increasing each account number by one.”
Perhaps most disturbing, because Thinkrace watches allow parents and children to talk to each other, walkie-talkie-style, “researchers found that the voice messages were recorded and stored in the insecure cloud, allowing anyone to download files.”
Worse yet, the researchers told TechCrunch that the most common commands are well documented and do not require authorization, leaving them virtually wide open for anyone to access. Account numbers are also in sequential order, rather than randomized, meaning that with a single account number a hacker could keep accessing other devices by increasing or decreasing the account number a digit at a time.
Pen Test Partners discovered the vulnerabilities and notified the affected companies in 2015 and 2017, giving manufacturers time to address the issues. While some did, unfortunately many did not. Even those companies that implemented fixes saw some of them undone at a later date.
The lack of definitive action to address these vulnerabilities prompted Pen Test Partners to finally go public with their findings in the interest of warning people about the danger of Thinkrace’s devices.
It continues to be utterly shocking how irresponsible companies can be in handling user data, not to mention data involving children. Needless to say, any individual—and especially parents—using a Thinkrace device should stop immediately.