Parents give their children smartwatches with GPS to monitor their location. However, security flaws mean that parents are not the only ones who can track their children. This year, researchers discovered several vulnerabilities in a number of child-tracking smartwatches.
However, new findings reveal that almost all were posing far greater and more devastating flaw in a common shared cloud platform used to power cell-enabled smartwatches. The said cloud platform was developed by Thinkrace, which is a Chinese white-label electronics firm. The platform serves as a backend system for devices made by the company.
Additionally, it also stores and retrieves locations and other data on the device. Aside from selling its own child-tracking smartwatches to parents, the company is reportedly selling its tracking devices to third-party business, which repackage and rebrand the devices with their own labels to be sold to consumers. These rebranded devices share the same cloud platform, which means that all white-label devices developed by Thinkrace and sold to one of its customers is vulnerable, TechCrunch reports.
Pen Test Partners founder ken Munro recently shared the findings to TechCrunch. The study discovered 47 million vulnerable devices, which, according to the founder, is only the tip of the iceberg. Munro and his team found that Thinkrace made 360 devices, the majority of which are smartwatches.
Due to reselling and relabeling, many of the devices made by Thinkrace have different brands. Most of the time, brand owners are not even aware that the devices they are selling are on the platform of Thinkrace, the founder revealed. Every single device sold interacts with the cloud platform either through an endpoint hosted on a web domain managed by the reseller or directly on the Thinkrace platform. The research team traced the commands back to Thinkrace's cloud platform, which, according to them, is a common point of failure.
The majority of the commands that control these devices do not require an authorization, Munro said. Also, they are well-documented, which allows anyone with basic knowledge to acquire access and monitor a device. Since there is no randomization of account numbers, the researchers discovered that they could easily access the devices in bulk by simply increasing every account number by one.
GPS Watch PT61: It's quite obvious to get worried about the security of your kids. ThinkRace provides a solution A watch ideal for kids and has some standout features like 3 mode positioning, one-touch SOS, two-way communication.
For more information visithttps://t.co/osf3gs8utW pic.twitter.com/7MksSQhiFp — ThinkRace Brazil (@ThinkRaceBrazil) July 4, 2018
This cloud vulnerability does not only put children at risk but also those that are using the devices. There is a case where Thinkrace gave 10,000 smartwatches to athletes participating in the Special Olympics. In other words, each athlete with the device could have their location monitored, revealed the research team.
