Kids smart trackers and vulnerabilities

An interesting and insightful article from PenTestPartners on vulnerabilities that have appeared in kid smart trackers and IoT devices.

Kids smart tracker watch security: everyone has missed the point. It’s not a few thousand here and there. It’s at least 47 million, probably around 150 million exposed tracking devices.

It all points back to two or three lazy device manufacturers, much like Mirai v1 did

There have been lots of smart tracker watch security stories. Probably the first was @skooooch who raised serious concerns at Kiwicon about 360,000 car trackers and engine immobilisers in 2015. Lachlan also flagged the connection to thinkrace and kids tracker watches.

Kids smart trackers and vulnerabilities

Others all missed the point, including us:


Putting aside the default creds and permissions issues that researchers keep finding on individual watches, thinkrace really are a monstrosity of fail.

Most API calls don’t need authorisation, they are very well documented within the service itself – literally just browse to the Web Service Descriptions Language (WDSL) file.

All variables simply increment integers meaning you can brute force and also deduce numbers of devices with ease.

Add a new account, see the ID number, then add another new account and see the ID number increase by one.

In virtually all devices (including non-thinkrace) we have seen the default password is 123456!

Read the full article from here.