Year after being blasted for dodgy security, GPS kid tracker biz takes heat again for leaving families' private info laying around for crims

www.theregister.co.uk | 2/1/2019 | Staff
just-me (Posted by) Level 3
Click For Photo: https://regmedia.co.uk/2016/06/30/child-running.jpg

A manufacturer of child-tracking smartwatches was under fire this week following the discovery of a second major security lapse in its technology in as many years.

Back in late 2017, Gator-branded wearables were among various kid-monitoring gizmos raked over the coals by Norwegian researchers who found the devices were trivial to remotely hijack. These gadgets are essentially cellular-connected smartwatches youngsters wear so that parents can watch over their offspring from afar, tracking their whereabouts, listening in on built-in microphones, and contacting them.

Fast - Forward - Year - Brit - Pen

Fast forward roughly a year, and Brit infosec outfit Pen Test Partners decided to take a look at the security of these gadgets to see if defenses had been shored up. The team found that the web portal used by families to monitor their tykes' Gator watches had a pretty bad exploitable bug.

Logged-in parents could specify in a user-controlled parameter their access level, allowing them to upgrade their accounts to administrator level. That could be exploited by stalkers, crims and other miscreants to snoop on as many 30,000 customers, obtain their contact details, and identify and track the location of children.

Attacker - Access - Account - Information - Watch

"This means that an attacker could get full access to all account information and all watch information," explained Pen Test Partners' Vangelis Stykas earlier this week.

"They could view any user of the system and any device on the system, including its location. They could manipulate everything and even change users’ emails/passwords to lock them out of their watch."

Gator - Backend - Level - Parameter - Value

He explained: "The Gator web backend was passing the user level as a parameter. Changing that value to another number gave super admin access throughout the platform. The system failed to validate that the user had the appropriate permission to take admin control."

The attacker would also be able to change the email and passwords on a given watch to lock victims out of...
(Excerpt) Read more at: www.theregister.co.uk
Wake Up To Breaking News!
Sign In or Register to comment.

Welcome to Long Room!

Where The World Finds Its News!