30 mei 2018
The popularity of smart children’s watches is increasing every day. They collect sensitive information, such as locations. But do these devices keep the data safe? We looked it up.
The popularity of smart children’s watches is increasing every day. These watches allow parents to keep track of the current location of their children. Most vendors allow for parents to retrieve this information using a mobile app. Apart from the location, most of the vendors offer parents the possibility to send text messages to the smartwatch and initiate a call. Sometimes it is even possible to start a call without confirmation from the watch itself, which makes it possible for parents to secretly listen to a child’s environment. Therefore, Germany banned the devices.
These watches collect sensitive information, such as locations and store it centrally, so parents know where their kids are when wearing the smartwatch. KPN decided to dive into some of the smartwatches to identify whether these devices keep the data safe. We picked some random children’s smartwatch apps and started to investigate them. Early on in the research, we discovered a vulnerability in the hellOO smartwatch cloud environment. The vulnerability allows attackers to keep track of all the location history retrieved from smartwatches that were sold by hellOO. Later in the investigation we determined that other resellers of the same product were affected by our vulnerability as well. The smartwatches are used by users from at least 13 different countries. This is how it works.
In order to discover vulnerabilities, our investigators started by performing a so-called “man in the middle” attack on the included app that allows parents to control the smartwatch. With this attack, our investigator gain insights into the communications flow between the app and the corresponding cloud environment. Also, manipulation of the communication can be easily performed.
We discovered a request which queries the cloud environment by using a so-called “watchid” parameter. The request generates a response with a phone number, which is the phone number of the owner that is associated with the specific watch. The “watchid” parameter seemed to be the unique identifier of the watch. By performing the request our investigator was able to get the phone number associated with the watch:
At this point we know the owner’s phone number (usually this will be one of the parents) that is linked to the specific watch. We wondered if we would be able to map the identifiers of other watches. If the watch identifiers are guessable and inadequate access control checks are performed, we should be able to request the same information from other watches.
To determine if this is the case, we started an automated process, which tried 10.000 requests with different (increasing) numbers. We found out that at least 508 of the 10.000 requests returned watch owner’s the phone number, which means these are valid watch identifiers and inadequate access control is performed:
One of the most interesting features of the smartwatches is the GPS-location functionality. Are we also able to get this information from other smartwatches? We found another request which is asking the GPS location of a specific watch and returns the location history in JSON-format:
Again, the same parameter named “watchid” is used. So, by combining the information we know, we might be able to use the previously discovered watchids to find the location of the watches. By doing tests our investigators determined that it was possible to request all the GPS location history from any watch sold by the vendor.
Our employees have written an application to plot the collected JSON-formatted GPS information on a map. This visualizes the complete location history of a watch:
During the responsible disclosure process with the owners of the hellOO smartwatch, we determined that the product is created and maintained by a Chinese vendor. hellOO is a reseller of the product. This raised some interesting questions. Are other resellers of the product using the same (vulnerable) cloud environment? If yes, in which countries are the users located? This could drastically increase the impact of the vulnerability discovered.
One of our employees bought a smartwatch from another Dutch reseller. We tried to request the GPS location history from this smartwatch while logged into a hellOO user account. We were able to successfully request the GPS information from the smartwatch sold by another reseller. This means that the different resellers are using the same vulnerable cloud environment.
The next question our investigators asked themselves was: in which countries the smartwatch is used? During enumeration of valid serial numbers we collected some phone numbers and we analyzed the country codes of those phone numbers. The phone numbers we identified were from the following countries, which indicates the smartwatches are used in at least the following countries:
Tracking devices for children offer parents the possibility to keep track of their children without them needing to call or physically search. The data generated is very sensitive and private so, when aggregating this data, it’s critical to keep this data safe. Failing to do so will allow third parties to digitally track people in the physical world. We’ve seen what can happen once a large data set is available during the Strava incident.
In other words: children’s watches, but also other “internet of things” products are introducing risks. Whenever buying such a device, be aware of possible security risks. Always think about the information that is being collected as part of a service or by a product. What would be the impact whenever this information is obtained by malicious people? Are the risks worth the benefits?
Another wakeup call: reselling products could have a big worldwide impact. The products sometimes use a shared cloud, which might contain vulnerabilities. Whenever this is the case, instantly people are hit by the vulnerability worldwide.
Grootzakelijk • Netwerkbeveiliging • Overheid • Security & Privacy