Security Flaws in Children's Smart Watches

A year ago, the Norwegian Consumer Council published an excellent security analysis of children’s GPS-connected smart watches. The security was terrible. Not only could parents track the children, anyone else could also track the children.

A recent analysis checked if anything had improved after that torrent of bad press. Short answer: no.

Guess what: a train wreck. Anyone could access the entire database, including real time child location, name, parents details etc. Not just Gator watches either—the same back end covered multiple brands and tens of thousands of watches

The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control!

This means that an attacker could get full access to all account information and all watch information. They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch.

In fairness, upon our reporting of the vulnerability to them, Gator got it fixed in 48 hours.

This is a lesson in the limits of naming and shaming: publishing vulnerabilities in an effort to get companies to improve their security. If a company is specifically named, it is likely to improve the specific vulnerability described. But that is unlikely to translate into improved security practices in the future. If an industry, or product category, is named generally, nothing is likely to happen. This is one of the reasons I am a proponent of regulation.

News article.

EDITED TO ADD (2/13): The EU has acted in a similar case.

Tags: , , , ,

Posted on January 31, 2019 at 10:30 AM16 Comments

Comments

Ross Snider January 31, 2019 12:06 PM

@Schneier

How do you balance both the support for regulation and the policy position against mandated access and backdoors?

It seems like the authority to regulate security for the better is in some direct tension against instincts to mandate access “for security”.

(Acknowledging here the limitations of the market to fix this).

Clive Robinson January 31, 2019 1:14 PM

@ Ross Snider,

It seems like the authority to regulate security for the better is in some direct tension against instincts to mandate access “for security”.

Try changing every use of “security” to “privacy”, all of a sudden your above statment falls apart.

The big problem is “security” does not mean what people think it means any longer. It’s become a “weasle-word” to appear to be arguing for one thing whilst actually arguing for the polar opposit.

This is not a new issue some countries have a single word for both “safety” and “security” and have suffered lack of clarity because of it. It’s long past time we should stop calling what the State and it’s agents do that they call “National security” into a series of more truthfull words. For instance “National Cyber-Defense” should not be predicated on the idea that “defence” is being used to cover “first strike offence” that if done in the real world would be a “war crime”.

Stoping using “weasel-words” kind of helps make the wood visable as the actual intent, rather than one or two rather offencive trees being shoved in your face. Thus with “privacy” the intent is more honest, you see the wood, with “security” being reserved for just a lone tree or two and no longer in your face.

Clive Robinson January 31, 2019 1:41 PM

@ Bruce,

This is one of the reasons I am a proponent of regulation.

Whilst I’m OK with the “right sort of legislation” it needs to be pointed out that what the US generally ends up with these days is legislation that suits those with a large lobbying fund, not the huge majority of ordinary citizens. That is, such lobbying organisations, push for legislation, that not just favours them but actively hurts small companies and individuals. In effect no different to the “patent folio and IP lawyer” method of establishing either a monopoly or cartel.

Which brings us onto,

This is a lesson in the limits of naming and shaming: publishing vulnerabilities in an effort to get companies to improve their security.

You only have to look back at Oracle and it’s calling “bug finders criminals”.

Oracle made security claims for specmanship / marketing reasons, that lets be honest were proved in more than one case to be at best figments of somebodies wish list.

Oracle not only got called on it, one of their seniors on her personal blog page accused such bug finders of breaking their contracts with behaviour that was criminal.

The page was not up long before it got passed rapidly amongst IT news outlets. Very shortly there after the blog page got pulled. But as far as I am aware she did not suffer any well deserved censuring axtions by Oracle, thus effectively got away with it.

My concern is that regulations or not other companies will fall into a similar pattern of behaviour as Oracle. But rather than realise they are on a hiding to nothing as Oracle did will come out with guns blazing against the bug finders, probably with the full support of the likes of the FBI and DoJ.

anon January 31, 2019 2:16 PM

Why is there a database in the first place? Should be not that difficult to design a watch that sends the GPS-data to the smartphone of the parent directly?

Don Hyde February 1, 2019 8:55 AM

The reason the bug is not fixed is that it is not a bug, it is the main feature of the watches.
Start tracking early. Get the kids used to the fact that someone is always watching them and they have no way to know who it is or why they are watching.

Greg Jaxon February 1, 2019 5:59 PM

I’m with Clive on this one. And I’m disappointed in Bruce’s knee-jerk statism on such a point. If it were true that well-meaning regulations (such as say interstate mail fraud) are routinely and vigorously enforced without selectively favoring some sets of criminals over others, then I’d say regulation might, maybe, have a role to play. But Clive is not only right on the pragmatics, he’s also starting to read the public relations implications: if the (security/privacy) issue is “owned” by the federal government(s), then independent interlopers can be portrayed as tinkering with a “national security” issue. They might be prosecuted for “leaking” exploits, encouraging attacks–when the facts are that the producer of the system enabled the attack, and only ignorance of the tech details protected the users.

The child tracking case in point demonstrated not the failure of shaming generally–it only demonstrated it specifically. The designers of this open-ended invitation to crimes against children demonstrated their SHAMELESS INTENTION that this is how they mean such a scheme to work. The 48-hour fix (and what exactly was ‘fixed’?) is clearly too-little too-late. In future, defects in their system need to be published widely and loudly with the presumption that the original system is a criminal fraud. The existence of viable exploits need to be documented in lawsuits alleging criminal endangerment of children, and district attorneys should prosecute these in a timely fashion until the producer(s) re-earn a presumption of innocence.

Isaiah February 1, 2019 8:05 PM

Greg, “knee-jerk”, really? We’ve been watching computer security fail spectacularly for just over 30 years now, IoT stuff for maybe 5. This story itself is describing year-old flaws. How much more time shall we give this industry before it’s OK to start considering the role nation-states might play?

I’m not actually any more hopeful than you or Clive that it would result in anything good—probably just a financial boost to the makers of static analysis tools etc.—but it’s hardly a knee-jerk response at this point.

Steve February 2, 2019 10:56 AM

Totally ignored in all of this is the existance of a tracker like this at all.

Are we so concerned about “safety” of our children that we never allow them a moment to be alone and unsurveilled?

Is this not just conditioning the kids to believe that they will never have a private moment by themselves and that someone, be it parents, advertisers, employers, or The State?

Gabriel February 2, 2019 1:55 PM

Why aren’t there third-party certification companies that check whether internet-enabled products are safe or unsafe? One would expect there to arise a market for such certification. Product manufacturers would like to obtain such certificates for their products in order to increase sales. A simple ad campaign would educate consumers to only buy internet-enabled products with certification. Where does the theory go wrong?

A Nonny Bunny February 2, 2019 2:05 PM

@Don Hyde

Get the kids used to the fact that someone is always watching them and they have no way to know who it is or why they are watching.

Funny how that reminds me so much of God.

Or Santa, for that matter.

He sees you when you’re sleeping
He knows when you’re awake
He knows if you’ve been bad or good
So be good for goodness sake!

Greg Jaxon February 3, 2019 6:28 PM

@Isaiah: “knee-jerk statism” is the lazy trend that used to be called “there oughta be a law…”

I really hope Bruce does not mean that government-issue regulations offer a real solution to this specific product category, or to the entire security industry. “Regulation” in the broader sense of having many tiers of “regularized” standards for securing information systems would of course be good, even if has the down side of synchronizing errors (i.e. leading all players down one occasionally mistaken path–ala QWERTY). This model works for, say, aircraft safety, with government’s involvement being a nuisance that mostly benefits the duopoly of producers, and only incidentally drives out unsafe practices.

My suggestion that district attorneys could apply existing child endangerment law isn’t even a particularly viable one. If “shaming” failed here (and that isn’t entirely clear), then the problem may be that our systems for checking reputation are not as cheap, accurate, and easy-to-use as they should be. The realm of children’s products has been deeply re-shaped (in the last 50 years) by US tort practices. Surely this system just hasn’t met its parent-group worst enemy yet.

Clive Robinson February 5, 2019 8:36 AM

@ Simone,

<><>

Looking at the EU advisory it is very clear from the packaging it is in breach of EU directives on Radio and Telecommunications equipment (I won’t go into the boring details but I was involved with a court case over the same issue).

Thus the product can not be legaly “CE” marked and under “blue book” rules “can not be placed on the market”.

Which whilst it may not be the real reason, gives a quite legal reason to stop it being sold.

Thus unless there are LVD or other RT&TTE equipment compliance failures the product could in theory be back on the market with just a sticker attached to the box.

The fact the complaint came from Iceland suggests there may actually be an other RT&TTE failure other than the packaging.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.