Smartwatches have become so handy for people with dementia and also the elderly. However, these vulnerable groups are now under threat of being tricked to take their medications more than they should. Security researchers have found a flaw in smartwatches that could trick users into letting an attacker take control of the device.
These high-tech watches are commonly used by patients and their carers so they can communicate with ease, and also so that carers can easily track where their patients are. However, a study conducted by Pen Test Partners, a U.K. security outfit, hackers could trick patients into taking pills by sending fake reminders as often as they want.
"A dementia sufferer is unlikely to remember that they had already taken their medication," wrote Vangelis Stykas in a blog post. "An overdose could easily result."
Researchers had found the flaw in the back-end cloud system, which is called SETracker -- this tech is what powers the smartwatch. The same cloud system also powers millions of other white-label smartwatches and vehicle trackers all over Europe, all of which were vulnerable to basic attacks, said the security firm.
The team found a copy of the source code that powers the back-end cloud system, which allowed them to find security vulnerabilities in the code. Among the most dangerous flaws they found was the fact that the server was using a hard-coded key. If exploited, any hacker would have the power to send commands to a smartwatch.
An attacker can use the key to send a "take pills" notification, make phone calls to the patient without the knowledge of the carer, and send text messages. If applied in vehicle trackers, the attacker could make the engine stop.
Included also in the code are tokens and passwords to the cloud storage of the SETracker, which is believed to have data uploaded by the devices being used by patients. The researchers have since confirmed that it has now fixed the flaw, but it's not clear if the vulnerabilities have been discovered and exploited by hackers.
Pen Test Partners has previously uncovered a similar flaw in white-label child-tracking smartwatches.
The lack of security in many smart devices has alarmed lawmakers and cybersecurity experts, prompting the government of the U.K to propose new legislation that would drastically improve the security of such devices. In the country, it is now being mandated that smartwatches and other smart devices must be sold with a baseline level of security in the form of unique passwords and similar tactics.