New Delhi: Security researchers have disclosed a set of serious security flaws in a smartwatch tracker by Chinese developer 3G Electronics for the elderly and the vulnerable, especially those with dementia or other cognitive impairments.
Anyone with some basic hacking skills could track the wearer, audio bug them using the watch, or perhaps worse, could trigger the medication alert as often as they want.
“A dementia sufferer is unlikely to remember that they had already taken their medication. An overdose could easily result,” said cybersecurity experts from Pen Test Partners.
The SETracker app, which is required to be used with the smartwatch, allows an unrestricted server to server API which could be used by bad actors to hijack the SETracker service like changing device passwords, making calls, sending text messages, conducting surveillance, and accessing cameras embedded in devices.
The app is available on iOS and Android and has been downloaded over 10 million times.
The same manufacturer also makes tracker watches for children on the same cloud platform which are also probe to hacking.
Is this yet another cheap Chinese kids GPS watch story?
“No, this is much more than just kids’ watches. The SETracker platform supports automotive trackers, including both car and motorcycle, often embedded in audio head units and dementia trackers for your elderly relatives. The vulnerabilities discovered could allow control over ALL of these devices,” warned the researchers.
Pen Test Partners alerted 3G Electronics about the security flaws which, the company claims, have now been fixed.
“However, the cyberattack was possible for a considerable time. We have no idea whether it had been exploited by anyone else, as we would have had to compromise their servers to discover this, which we didn’t have permission to do,” said security researchers.
Pen Test Partners said that they advised 3G Electronics “that they may need to notify the relevant regulatory bodies due to the potential breach of personal data”.
According to Boris Cipot, Senior Security Engineer at Synopsys Software Integrity Group, there is no doubt that the exposure of such data could turn our lives upside down, but they don’t quite compare to cases where human life itself is at stake.
“As one of the functionalities of the smartwatch is to remind the user to take their pills, the attacker could simply trigger more alerts than permitted; therefore, endangering the user’s life as they could overdose. This is just one example of how the device could be manipulated,” Cipot told IANS.
Sending fraudulent messages, controlling SMS traffic, blocking the GPS trackers on the watch or even accessing the camera as well as images on these devices are only some of the many capabilities the attacker could abuse.
“Furthermore, the publicly available source code for some applications has serious flaws affecting hardcoded credentials, server information of the SETracker ecosystem database access and more,” he added.
The good thing is that 3G Electronics removed the problems and changed the exposed passwords.
However, this should be a wakeup call to every IoT provider; overlooking product security and quality can have a huge impact on many lives, said Cipot.