An interesting and insightful article from PenTestPartners on vulnerabilities that have appeared in kid smart trackers and IoT devices.
Kids smart tracker watch security: everyone has missed the point. It’s not a few thousand here and there. It’s at least 47 million, probably around 150 million exposed tracking devices.
It all points back to two or three lazy device manufacturers, much like Mirai v1 did
There have been lots of smart tracker watch security stories. Probably the first was @skooooch who raised serious concerns at Kiwicon about 360,000 car trackers and engine immobilisers in 2015. Lachlan also flagged the connection to thinkrace and kids tracker watches.
Others all missed the point, including us:
- The Icelandic data protection authority banned Enox, missing the point
- AVAST missed the point, with about 230,000 watches
- Rapid 7 missed the point with the G36 and SmarTurtles watch
- AV-TEST missed the point with the SMA watch
- The Norwegian Consumer Council missed the point
- And yes, we also missed the point last year
Putting aside the default creds and permissions issues that researchers keep finding on individual watches, thinkrace really are a monstrosity of fail.
Most API calls don’t need authorisation, they are very well documented within the service itself – literally just browse to the Web Service Descriptions Language (WDSL) file.
All variables simply increment integers meaning you can brute force and also deduce numbers of devices with ease.
Add a new account, see the ID number, then add another new account and see the ID number increase by one.
In virtually all devices (including non-thinkrace) we have seen the default password is 123456!
Read the full article from here.