Back in 2017, the Norwegian Consumer Council published a damning report on the privacy leaks from kids' "smart watches," a parade of horrors that included allowing unauthorized third parties to trace your kid's location, and also to covertly eavesdrop through the watches' microphones and bark creepy orders at them through their speakers.
A year later, Pen Test Partners audited the security of the popular Misafe kid smart-watch and guess what? It was a fucking dumpster-fire, too. Six months later, Pen Test Partners checked kids "smart watches" like those from Gator and they were still fucking dumpster-fires. The accumulated evidence was finally enough to prompt a recall of Safe-Kid One, one of the terrible watches.
You'd think that this would be a wake-up call for the kids' "smart watch" sector. You'd be wrong.
This week, nearly two years after the first of these reports were published, Pen Test Partners has audited Tictoctrack, a kids' "smart watch" retailed in Australia, and you will: never. guess. what. they. found.
Tictoctrack is a rebadged Gator watch — the ones that had to fix a glaring API flaw that Pen Test Partners published on in January — but because it has its own back-end, one that keeps all kid-data onshore in Australia, it has its own grotesque security defects.
Ticktoctrack paid a Sri Lankan company called Nibaya to develop a new mobile front-end, and hosts the servers with an Australian firm called 6YS. The backend's API allows for wideranging access to all users' data with no meaningful authentication (you need a valid user/pass combo, but you can generate one of these by buying a watch and intitializing it, and thereafter you can access all of the users' accounts).
The API exposes all family data associated with the account: "including childrens' location, parents' full names, parents' phone numbers and other PII." You can also access kids' realtime location data, and erase that data so that after you've used it to kidnap someone's kids, you can erase all record of where the kid was before you snatched them.
Oh, and you can also tun the watch's mic into a covert listening device, and you can also use it as a PA that lets you say creepy things to kids in the middle of the night.
To Tictoctrack's credit, they took swift action on Pen Test Partners' report and immediately notified all their customers about the risks of using their products — albeit while downplaying the seriousness of the vulnerabilities, claiming that they had never been exploited, even though such exploitation would be virtually impossible for the company to detect. The company has taken the service down and says they'll relaunch it after they fix these defects.
The smartwatch's API can be attacked by changing the FamilyIdentifier number (which identifies the family that the user belongs to), which then could give a bad actor complete access to the user's data – including the children's location, parent's full names, phone numbers and other personal identifiable information.
"Anyone could discover the location of children using the watch," Stykas said. "Anyone could tamper with that position data, making you think your children were safe whilst they were actually elsewhere. Anyone could cause false alarms by moving the reported position of your child."
Researchers with Pen Test Partners teamed up with security researcher Troy Hunt, who lives in Australia, to test the attack. With Hunt's daughter wearing the device, Pen Test Partners researchers found that they were able to successfully both track and spoof her location– as well as contact her via a phone call, which purported to be from "dad" on the watch.
Tic Toc Pwned [Vangelis Stykas/Pen Test Partners]
TicTocTrack Smartwatch Flaws Can Be Abused to Track Kids [Lindsey O'Donnell/Threatpost]