Blog: Internet Of Things
GPS watch issues… AGAIN
Over the last year of looking at kids GPS tracking watches we have found some staggering issues. With these devices it almost seems that having multiple security issues is the new normal.
While parents and guardians may get a feeling of security from using these devices, our testing and research shows it’s just that, a “feeling”.
A couple of years ago we bought and reviewed a number of smart kids tracker watches, including some Gator watches from TechSixtyFour.
After chatting to our friends at the Norwegian Consumer Council, who we know well through My Friend Cayla, we discovered they were working on exactly the same tech, by complete coincidence!
We decided to pause our project to avoid us duplicating their efforts. Shortly after, the Norwegian Consumers Council published the excellent ‘WatchOut’ research that demonstrated trivial access to kids GPS locations through vulnerable tracker watches, including the Gator.
It received plenty of press coverage and resulted in several kids tracker watches taking swift action to secure their systems.
A year on, we decided to have a look at the Gator watch again to see how their security had improved as a result of their actions.
TL; DR
Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc. Not just Gator watches either – the same back end covered multiple brands and tens of thousands of watches
The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control!
This means that an attacker could get full access to all account information and all watch information. They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch.
In fairness, upon our reporting of the vulnerability to them, Gator got it fixed in 48 hours.
The vulnerability
Once I took delivery of the watches I downloaded the Gator and Gator3 app. I found out that it was communicating securely with the server. As an extra bonus it was also doing SSL certificate pinning. This was a great start, it’s something we’ve been asking companies to do for years.
Sadly that is where the positive news stopped.
Next step was to browse to the site where a web login panel greeted us.
Once the app credentials are entered we can see a web page with some basic functionality:
Using a simple web proxy we can edit the user profile and review the request being sent to the website.
User[Grade] stands out in there. I changed the value to 2 and nothing happened, BUT change it to 0 and you get platform admin.
Look at the difference to the page following the modified request:
After just a small change full admin functionality was made available. We found we could also list and modify all users and all device data.
Disclosure
The TechSixtyFour back end service is provided by Caref Watch Co Ltd, the Chinese head office operation with (we understand) TechSixtyFour as the UK distributor.
- We disclosed to TechSixtyFour on the 11th January asking for a resolution within one month, meaning a public disclosure point of 11th February. This may seem short but sensitive data involving 35,000 children was exposed.
- TechSixtyFour requested two months (11th March) due to it being Chinese New Year. We were really disappointed by this request, given the sensitivity of the data involved.
- Given the risk to child safety we declined and advised we would still disclose publicly on the 11th February, or after remediation. TechSixtyFour requested that Caref fix the issues. A fix was made, so we offered to validate its effectiveness.
- The claimed ‘fix’ turned out to be implementing a 502 on our own accounts (FFS!) and removing the form element from the front end web page, yet the parameter was still available!
- We went back to TechSixtyFour and requested that the bug was fixed properly.
- The following day Caref apologised for the failed fix and removed the offending form and parameter.
- We received notification and validated that the issue was resolved on the 16th.
Vendor response
We discovered 20,000 accounts on the system, with 35,000 devices affected. This isn’t good. Given TechSixtyFour’s flawed security history we would have thought that a thorough security review would have be undertaken immediately after the findings of the Norwegian Consumer Council were published last year.
However, it appears that only an automated vulnerability assessment service was used. These will find further issues, but they’re just not thorough or capable enough to really dig deep, particularly in to an API.
After contacting the vendor about this serious issue, missed by the automated tools, TechSixtyFour managed to close this additional vulnerability.
Doing security on the cheap often ends badly, but at least it was fixed quickly when we reported the vulnerability.
Fortunately TechSixtyFour publish a vulnerability disclosure contact and have a public disclosure policy. That made life much easier for both us and them, it also minimised the prospect of public disclosure of an unresolved vulnerability.
Conclusion
The GPS watch market is growing significantly. Not only are children’s watches incorporating the services, but some running watches are employing the technology. This has led to some interesting uses by law enforcement, but the issues discussed in this post make this type of attack possible for anyone with the simplest of tools.
We keep seeing issues on cheap Chinese GPS watches, ranging from simple Insecure Direct Object Request (IDOR), to this even simpler full platform take over with a simple request parameter change. As this product is used by children, its security should be tested regularly and thoroughly.
On a wider scale the GPS watch market needs to ensure that their products are adequately tested. The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security.
Our advice is to avoid watches with this sort of functionality like the plague. They don’t decrease your risk, they actively increase it.