Security researchers found flaws in a smart tracker that was aimed at the elderly, especially those with dementia or other cognitive issues.
In research released late this week, Pen Test Partners found flaws in source code that the manufacturer posted publicly. Most of the watches use SETracker as a backend, an app owned by the Chinese company 3G Electronics based in Shenzhen City.
While at first blush, this finding could get passed off as another bad Chinese-made watch for kids, or a typical IoT problem, Ken Munro, partner at Pen Test Partners said it’s much more serious this time.
The SETracker platform supports automotive trackers, including cars and motorcycles and dementia trackers for elderly patients. The vulnerabilities discovered could allow control over all of these devices.
Munro said the app that works with the watches has been downloaded more than 10 million times. Once 3G Electronics was alerted to these issues, they fixed the security flaws a few days later. However, the potential danger was real for a considerable time.
The vulnerabilities existed for at least three years, Munro said, at least since the Norwegian Consumer Council had some success pushing to get some similar brands banned.
“We were amazed that nobody was hurt, as far as we know,” Munro said. “We were also shocked when the company responded and made the fix, in most of these cases they don’t respond at all.”
Here’s what the researchers found: On the plus side, if the wearer goes for a walk and forgets their way home, their caregiver can easily track them with a mobile application. The watch also lets the wearer trigger a call to their caregiver, and lets caregivers trigger the watch to remind the wearer to take their medication. So if the caregiver couldn’t visit the dementia patient because of a Covid-19 restriction, sending the remote alert was very helpful for patients who couldn’t remember on their own.
Unfortunately, Munro said the researchers found that anyone with some basic hacking skills could track the wearer, audio bug them using the watch, or could even trigger the medication alert as often as they wanted. Most dementia patients are unlikely to remember that they had already taken their medication, so an overdose could result.
The same manufacturer also makes tracker watches for children on the same cloud platform. The researchers could also trigger the ‘Take Pills’ alert on kids watches. While many kids might question the command, the researchers were concerned there was always a chance a child could actually “take the pills” and overdose as well.
Alex Useche, senior appsec consultant at nVisium said he’s seen many instances where IoT devices communicate with unauthenticated API services, opening critical vulnerabilities that are easy to exploit.
“Even when authentication takes place, the process often relies on easily discovered tokens stored in the device,” Useche said. “In those cases, it’s merely a matter of discovering the URLs for the API endpoints by capturing network traffic or extracting software directly from the device. This type of problem highlights the need to include security in the initial design of IoT products, which often consists of multiple components and, as a result, numerous teams.”
For those interested, here’s some more detail on what Pen Test Partners found through an unrestricted server-to-server API. They could do the following:
- Make a device call any phone number.
- Make a device send SMS with any text.
- Call any device.
- Spy on any device even in countries like Germany where this functionality was supposedly disabled.
- Fake a message from a parent.
- Kill the engine of a car tracker.
- Access the camera of all devices with a camera.
- Send a “Take Pills” command to the device to remind a relative to take medication.
Additionally, because their source code was publicly available they found:
- Mysql password on all databases.
- Ali yun file buckets credentials (s3 equivalent with ALL their pictures).
- Email credentials.
- SMS credentials.
- Redis credentials.
- IPs and services of 16 servers.
- The entire server-side source code for SETracker.
- The default password 123456 is hard coded in the source code.