More than a year after announcing the #WatchOut vulnerabilities in Gator brand children’s smartwatches, researchers revisited the platform and found even greater vulnerabilities in Gator and other children’s smartwatch manufacturers.
While the initial vulnerabilities spotted in October 2017 allowed unauthorized access, remote audio surveillance, location spoofing, and SOS compromise, recent tests conducted by the Pen Test Partners have shown an attacker can now access the entire database including real time child locations, child and parents names and more, according to a Jan. 29 blog post.
The vulnerabilities aren’t just in Gator’s technology by also in the back end service TechSixtyFour back end service provided by Caref Watch Co Ltd, which also provides services for other smartwatches.
The system ultimately failed to validate that the user had the appropriate permission to take admin control and as a result an attacker could get full access to all account information and all watch information.
The vulnerabilities have since been resolved but researchers say the bug impacted 20,000 accounts on the system and 35,000 devices. Researchers warn users to beware GPS enabled smartwatches at low price points as there is often little money to cover the cost of security.