Children Stalked Using Hacked Smartwatch

A GPS-enabled SmartWatch used by Parents to track and communicate with their children (and elderly parents) has been shown vulnerable to hackers who can use to track the child’s location, falsify the location to parents add themselves as a parent and view information association with the account.

Many parents today are concerned that children are less safe than they were when they themselves were young. Today parents want to know where their children are at all times and know how to contact them.  For children too young to be responsible for their own smartphone, a smartwatch seems like an attractive option, combining wearable features and durability. Those caring for the elderly who may have dementia or have other mental or physical limitations may have similar concerns. But if that device is hacked, it suddenly becomes a tracking device telling the hacker not only the location of your child but a wealth of personal information about them and your family.

There have been host of examples of poorly secured devices aimed at children which exposed their information, their recorded voices or their photographs to anyone on the Internet. But the TicTockTrack GPS-enabled SmartWatch by Australian company iStaySafe allows hackers to identify the child’s location as well as the that sensitive family information. This would potentially allow the hacker to not only locate the child when he or she was away from school or home but also approach the child knowing the names of the child and the parents making social engineering far easier. After all, if you can tell a child, “Kevin, I’m a friend of your mom Susan. She had a car accident and asked me to pick you up from the park and take you home to your house on Maple Street,” doesn’t that sound convincing?

Flaws Exposed Remain Unsolved

Often when security flaws like these are exposed in software on our smartphone or on our laptops a patch is issued within days and the problem is solved. Unfortunately, the fact that this is a hardware device may be causing a problem here since this flaw appears to have been exposed for at least a year! That means hackers know about it but there is no fix is in place.

Websites Pen Test Partners (for Penetration Test, the term used in the cyber security industry for companies that test security procedures) and TroyHunt go into far more detail than we can here about how the hack works. They list some of the brand names beyond TicTockTrack such as Gator, and the response of various government agencies around the world which seems to be universal condemnation but just short of outright stopping them from continuing to sell these unsecure devices.  Unfortunately, one of the problems with so much information about this vulnerability being made available is it serves as a how-to for less skilled hackers. There are already YouTube videos explaining how to get started. Doesn’t that make you feel safe?

So What Should You Do?

One of the broader implications of this story is that location-based software running on any device can be hacked by third parties and used to track the location of your device. MyProfyle has discussed how certain types of hardware and apps such as weather apps are notorious for being “always on” and tracking your location and activity under their default settings and sometimes even when they are turned off. In these cases, you are trusting that these applications are secure or else they can be turned into tracking devices by third parties.

MyProfyle recommends that you keep the use of these apps to a minimum and rely on web-based alternatives whenever possible. The slight delays in getting the results you need come with the benefits of improved security with the added bonus of more free space on your device from removing unnecessary apps. We also recommend that you set up dummy profiles with false names and email addresses for these accounts so that you can access your information but no one can look you up to find your children or elderly parents based on your name. It’s not foolproof – your location data is likely going to remain in the system – but it’s a good start.

At MyProfyle, we believe this threat is further proof that everyone’s information is at risk from many different sources and that we are all exposed multiple times per year. The solution to identity fraud is not to try to lock your identity or seek unobtainable privacy but to control your identity – not just your credit – by putting yourself in the position know of, approve or decline activity conducted in your name. That’s MyProfyle Free For Life ™ Identity Protection.

References

PenTestPartners

TroyHunt

Did You Find This Post Interesting?

Join our email list to get the latest blog posts sent to your inbox

Try it. Unsubscribe anytime.