Parents buy their children GPS-enabled smartwatches to know about their whereabouts, but security bugs mean they’re not the only ones who can.
Researchers have discovered several vulnerabilities in many child-tracking smartwatches this year. The new findings revealed that nearly all were carrying a far greater and more damaging flaw in a commonly shared cloud platform used to run millions of cellular-enabled smartwatches.
ThinkRace Technology, a Chinese white-label electronics maker, has developed the cloud platform. It is one of the largest manufacturers of location-tracking devices. The platform acts as a backend system for ThinkRace-made devices, storing and fetching locations and other device data.
Not only does ThinkRace sell its child-tracking watches to parents who want to keep an eye on their children, but also sells its tracking devices to third-party businesses by repackaging and renaming the devices.
The same cloud platform is used by every device that is made or resold, guaranteeing that any smartwatches made by ThinkRace and sold by one of its customers is vulnerable.
The findings were shared with TechCrunch by Ken Munro, the founder of Pen Test Partners. The company’s research detected at least 47 million vulnerable devices. “It’s only the tip of the iceberg,” he said.
Smartwatches Leaking Location Data
Munro and his team found more than 360 devices mostly watch and other trackers were made by ThinkRace. Many ThinkRace devices are branded under different names due to relabeling and reselling.
“Often the brand owner doesn’t even realize the devices they are selling are on a Thinkrace platform,” said Munro.
Each tracking device communicates with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller. The researchers tracked the commands back to ThinkRace’s cloud platform, which they pointed out as a common point of failure.
The researchers said that most of the commands that control the devices were lacking authorization and commands that were well registered, allowing anyone with the basic knowledge to gain access and to track a device. Since there is no randomization of account numbers, the researchers discovered that simply by increasing each account number by one, they could access the devices in bulk.
Not only, have these flaws made children vulnerable, but also who use the devices. In one case, ThinkRace provided 10,000 smartwatches to athletes participating in the Special Olympics. But the vulnerabilities meant that every athlete could have their location monitored, the researchers said.
Munro said that while the vulnerabilities are not believed to have been severely exploited, device makers like ThinkRace “need to get better” at building more secure systems. Until then, Munro said owners should stop using these devices.
Hi, I’m Shubham. If you find my news coverage informative, please don’t hesitate to drop a good word in my inbox. Being a journalist, I like to cover major reportings across the globe and present the news in a crisp and factual manner. Feel free to contact me at [email protected]