Researchers are warning vulnerabilities in a smartwatch application for dementia patients could allow an attacker to convince patients to overdose.
The vulnerabilities stem from the SETracker application, which is developed by Chinese developer 3G Electronics (based out of Shenzhen City). The app, which is available on iOS and Android and has been downloaded over 10 million times, is used to power various third-party smartwatch devices. These smartwatches are utilized by elderly patients with dementia who need reminders for taking their medication and to carry out everyday tasks. The apps are also used by parents to track their children – expanding the impact of the security issues.
“Is this yet another cheap Chinese kids GPS watch story? No, this is much more than just kids watches. The SETracker platform supports, automotive trackers, including both car and motorcycle, often embedded in audio head units and dementia trackers for your elderly relatives,” said Vangelis Stykas, with Pen Test Partners, in a Thursday post. “The vulnerabilities discovered could allow control over ALL of these devices.”
Researchers discovered an unrestricted server-to-server application programming interface (API) behind the app that allowed them to carry out a number of malicious activities. Specifically, the API had no authentication required to send commands, other than the requirement of a semi-random string that was already hardcoded to the code. That means a remote, unauthenticated attacker could send commands freely as if they were on a “trusted” server, said researchers.
“This was trivial to discover, all we had to do was just read through the compiled javascript code in the node file to understand what the API was doing,” said Stykas. “With no API restrictions and knowing the API structure we could take over all the devices.”
This issue allows an attacker – who knows the device ID of the smartwatch – to make a device call for any phone number or send SMS with any text from the watch, spy on any smartwatch, or fake a message from a “parent” to the smartwatch or access its camera. Worse, an attacker could send a “TAKEPILLS” command to the smartwatch that uses the app, to remind a relative to take medication (even if the target already took his pills).
“Like every smart tracker watch we’ve looked at, anyone with some basic hacking skills could track the wearer, audio bug them using the watch, or perhaps worst, could trigger the medication alert as often as they want,” said Stykas. “A dementia sufferer is unlikely to remember that they had already taken their medication. An overdose could easily result.”
Researchers also discovered the source code of the app publicly available, which laid bare MySQL password for all databases, email, SMS and Redis (an in-memory data structure project) credentials, as well as the entire server side source code for SETracker and the IPs and services of the 16 backend servers behind the app. And, the default password (123456) is hard coded in the source code.
“It should be noted that at no point did we access the database, validate any of the credentials or view the pictures that users uploaded,” said Stykas.
While IoT device security issues are nothing new, connected smartwatch privacy issues are viewed as particularly insidious when it affects the elderly and children. In April 2019, a popular smartwatch that allows parents to track their children’s whereabouts, TicTocTrack, was discovered to be riddled with security issues that could allow hackers to track and call children. In January 2019, researchers found an array of security issues in the Gator portfolio of watches from TechSixtyFour, and found flaws exposing sensitive data of 35,000 children. In February 2019, the European Commission issued a recall for the Safe-KID-One, an IoT watch made by German company Enox Group, due to “serious” privacy issues.
Researchers reported the SETracker flaw on Jan. 22, after which the vendor responded on Feb. 12 and later fixed the issues: “Fortunately, the manufacturer in the Far East responded when we alerted them. They fixed the security flaws a few days later, so the attack isn’t possible any more. However, it was possible for a considerable time,” said Stykas. “We have no idea whether it had been exploited by anyone else, as we would have had to compromised their servers to discover this, which we didn’t have permission to do.”
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.