'A gamut of kids' GPS-tracking watches are exposing sensitive data
involving 35,000 children -- including their location, in real time.
Researchers from Pen Test Partners specifically took a look at the
Gator portfolio of watches from TechSixtyFour. The Gator line had been
in the spotlight in 2017 for having a raft of vulnerabilities, called
out by the Norwegian Consumers Council in its WatchOut research. "A
year on, we decided to have a look at the Gator watch again to see how
their security had improved," said Vangelis Stykas, in a Tuesday
posting. "Guess what: a train wreck. Anyone could access the entire
database, including real-time child location, name, parents' details
etc. Not just Gator watches either -- the same back end covered
multiple brands and tens of thousands of watches."
"At issue was an easy-to-exploit, severe privilege-escalation
vulnerability: The system failed to validate that the user had the
appropriate permission to take admin control," reports Threatpost. "An
attacker with access to the watch's credentials simply needed to
change the user level parameter in the backend to an admin
designation, which would provide access to all account information and
all watch information." '
-- source: https://it.slashdot.org/story/19/01/30/2337239
Dept. of Computer Science
University of Waikato, NZ
+64 (7) 858-5174