Parents buy GPS-enabled smartwatches to keep an eye on their children, but security holes mean that they aren't the only ones who can.
This year alone, researchers found several vulnerabilities in a number of smartwatches for child tracking. However, the findings published today show that almost all of them had a far larger, more harmful error in a common cloud platform that was used to supply millions of smartwatches with cellular functionality.
The cloud platform was developed by the Chinese white label electronics manufacturer Thinkrace, one of the largest manufacturers of tracking devices. The platform acts as a back-end system for devices manufactured by Thinkrace and stores and retrieves locations and other device data. Not only does Thinkrace sell its own child tracking watches to parents who want to keep an eye on their children, the electronics manufacturer also sells its tracking devices to third-party companies that repackage and brand their devices to sell to consumers.
All devices that are manufactured or resold use the same cloud platform, ensuring that all white label devices manufactured by Thinkrace and sold by one of its customers are vulnerable.
Ken Munro, founder of Pen Test Partners, shared the results exclusively with trendzhq. Their investigations revealed at least 47 million devices at risk.
"It's just the tip of the iceberg," he told trendzhq.
Smartwatches reveal location data
Munro and his team found that Thinkrace manufactured more than 360 devices, mainly watches and other trackers. Due to the renaming and resale, many Thinkrace devices are labeled differently
"Often, the brand owner doesn't even notice that the devices he sells are on a Thinkrace platform," said Munro.
Each tracking device sold interacts with the cloud platform either directly or through an endpoint hosted on a web domain operated by the reseller. The researchers followed the commands up to the Thinkrace cloud platform, which the researchers identified as a common source of error.
The researchers stated that most commands to control the devices do not require authorization and that the commands are well documented so that anyone with basic knowledge can access and track a device. Because the account numbers are not randomly arranged, the researchers found that they can access devices in large quantities by simply increasing each account number by one.
The errors endanger not only children, but also others who use the devices.
In one case, Thinkrace delivered 10,000 smartwatches to athletes who participated in the Special Olympics. However, the weaknesses would mean that every athlete could monitor their whereabouts, the researchers said.
Children's voice recordings found uncovered
A device manufacturer acquired the rights to resell one of the Thinkrace smartwatches. Like many other resellers, this brand owner allowed parents to track their child's whereabouts and set an alarm when they leave a geographic area specified by the parent.
The researchers said they could track the position of any child wearing one of these watches by listing easy-to-guess account numbers.
With the smartwatch, parents and children can talk to each other like a walkie-talkie. However, the researchers found that the voice messages were recorded and stored in the insecure cloud so that anyone could download files.
trendzhq listened to several randomly selected recordings and was able to hear children talking to their parents via the app.
The researchers compared the results with CloudPets, an internet-connected teddy bear-like toy that left the cloud servers unprotected in 2017 and revealed two million children's voice recordings.
Around five million children and parents use the smartwatch sold by the reseller.
Disclosure in one go
The researchers uncovered the security vulnerabilities against several white label electronics manufacturers in 2015 and 2017, including Thinkrace.
Some of the resellers have repaired their vulnerable endpoints. In some cases, the corrections made to protect vulnerable endpoints were later reversed. However, many companies simply ignored the warnings and made the researchers publicize their results.
Rick Tang, a spokesman for Thinkrace, did not respond to a request for comment.
Munro said device manufacturers like Thinkrace "need to" get better at building safer systems, although it is believed that the vulnerabilities have not been exploited to a large extent. Until then, according to Munro, the owners should no longer use these devices.