An Australian company behind a GPS tracking smartwatch for children backed to the tune of $1 million by the Queensland government has been found to be vulnerable to a security flaw that computer security researchers say allowed them to track a child, make them appear in another location, call them, and listen to them – all without any interaction from the user.
It's every parent's worst nightmare: discovering the smartwatch tracking device you bought to protect your child could be used instead by a stranger to stalk them.
TicTocTrack founder Karen Cantwell with son Hunter, from an interview with Nine’s Today show in 2014.Credit:Nine
But that's the reality confronting those who purchased the $210 smartwatch marketed by Australian mother Karen Cantwell, from Brisbane, who is behind the TicTocTrack smartwatch.
The company sent an email to users about the issue on Monday afternoon explaining why it would temporarily shut down its service after Ken Munro, a computer security researcher from Britain, told it of the flaw over the weekend. Mr Munro also worked with Troy Hunt, another security researcher from Brisbane, to uncover the vulnerability and demonstrate how "trivial" it was to exploit.
"It's a failure to correctly check that the person logged in to the account is the person authorised to access that data," Mr Munro said in an email. "As a result, anyone can access anyone else's data."
Mr Munro and Mr Hunt both described the flaw in detail on separate blog posts on their respective websites. Mr Hunt also filmed a video of his six-year-old daughter Elle using the watch and it was remotely accessed by an unauthorised third party, who spoke to her.
Security researcher Troy Hunt’s six-year old daughter Elle with a TicTocTrack smartwatch.Credit:Troy Hunt
The watch, which requires a SIM card and monthly subscription of between $6 and $20, has been on sale in Australia since about 2014 and makes use of hardware made by Chinese company Gator.
The software is developed in partnership with Sri Lanka-based Nibaya, although Ms Cantwell said TicTocTrack dealt with the head of the company's development team in Perth.
Ms Cantwell described the British security researcher's explanation of the flaw as "a generalisation".
"This is yet to be confirmed as an issue beyond the penetration testing conducted by Ken Munro," Ms Cantwell said, declining to reveal how many TicTocTrack smartwatches have been sold in Australia.
Earlier this month, Ms Cantwell told ABC News that sales had increased by 600 per cent over the past three years. Mr Hunt estimates sales could be around 3500 if the number assigned to the watch he bought was sequential. "We'll pass on this question," Ms Cantwell said when asked.
In addition to receiving money from the Queensland government, Ms Cantwell's company is a registered National Disability Insurance Scheme provider.
In November 2017, news website WeLiveSecurity reported that German parents were being told to destroy smartwatches they bought for their children after the country's communications regulator put a ban in place to prevent their sale following revelations about similar security flaws.
Source: Read Full Article