Bad guys can pose as dad with kids’ tracker watch
- April 18, 2019
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Automotive Security, Cyber Crime, Cyberattack, Data Breach, Hacking, Mobile Devices, Posts with image, Privacy, Smart Devices, Vulnerabilities
Another kids’ tracker watch — meant to keep kids safe — is flunking its security test.
In this case, researchers say the TicTocTrack watch that allows parents to monitor their children also lets bad guys talk to their kids as “Dad” or “Mom,” find the children’s real locations, and change the maps that parents see.
Now, the Australia-based TicTocTrack says it’s going through a major security audit to ferret out security problems.
Six-year-old Elle is getting a call from her dad.
At least, that’s what it says one her new watch, the TicTocTrack.
“Hello, Elle,” the voice says, as her watch automatically answers the call.
“Hi,” she responds.
But this caller is not her dad, he’s a hacker.
Luckily, he’s a hacker for good — Vangelis Stykas from a company called Pen Test Partners in Britain, far away from Elle’s home in Australia.
“Who are you?” Elle asks?
“I am Vangelis from the other part of the world,” Stykas says.
“It was a very bizarre experience,” said Elle’s real dad, security researcher Troy Hunt, who worked with the British company to test the security of this watch.
He shot video of the hacker talking to his daughter over her pink kids’ watch.
“Honestly, when I look at the video myself, and in fact after I first took it, I looked at it and I went, ‘Oh, this is creepy.’ Like, this creeps me out. And I see this sort of stuff,” he said to Archer News.
The TicTocTrack claims it can help parents keep track of their children.
It even has a page on its site dedicated to talking about security.
But Pen Test Partners found the watch’s security to be even worse than “terrible.”
Not only can attackers pose as a child’s mother or father and talk to them through the watch, they can also track down your child in real life with ease, and trick parents with fake info about their kids’ locations, the researchers said.
The watches also let attackers listen in on your child and you, according to the researchers.
“Whilst the real time tracking of kids was pretty unpleasant, the aspect that bothered me the most was the ability of third parties to silently dial the watch and listen in to your children,” Pen Test Partners’ Ken Munro told Archer News. “The watch security flaws created an audio bug.”
In the Ocean
Testing the watch, Hunt sent Elle off to tennis camp with her TicTocTrack last week.
But the testers changed the coordinates Hunt saw.
Elle appeared to be not at camp in Brisbane, but in the ocean, not far from an island.
“I actually said, ‘Just put her on the island over there.’ They got it a little bit wrong. She ended up in the ocean next to the island. But the at the point was made,” Hunt said with a chuckle.
“That would be very worrying for me, as a parent, if I suddenly saw my daughter in the ocean somewhere,” he added.
The bad guys could demand a ransom for a fake kidnapping.
Or even worse, for a real one.
“Play out every parent’s worst fears. Like the kid has been kidnapped, but you think they’re still safe at tennis camp,” Hunt said.
Luckily, Elle was indeed safe at tennis camp.
But her father is exasperated.
“The application never checked that you were the person that you said you were. You can literally become any parent that you wanted to,” he said.
“The particular organization selling this TicTocTrack already had something on the front of their website saying, ‘We take security seriously.’ And I was looking at this while this Greek guy was talking to my daughter on the phone, on the watch,” Hunt said.
Pen Test Partners researchers said the watch application left the children’s data open to be accessed and manipulated.
“This is unacceptable for a product that is supposed to keep children secure and a trend that we constantly see in the IoT [Internet of Things] market that products are rushed to the market,” they said in their April 15 post.
Pen Test Partners contacted TicTocTrack and recommended they shut the service down until they fix the problems.
The watch company responded quickly and said it did shut down its service for the time being, announced a security audit and told parents they’ll refund the monthly subscription fee for time lost.
Archer News contacted TicTocTrack and asked if it had done any security testing on its watch before it started selling.
The company did not answer the question.
TicTocTrack provided an official statement on April 16 saying the company was reviewing the research findings and doing a security audit.
There was certainly fair warning for any company making tracker watches for kids.
In October 2017, the Norwegian Consumer Council published results of research with security company Mnemonic showing some popular kids’ tracker watches let predators in.
Germany banned a number of kids tracker watches a few months later over security and privacy problems.
Consumer groups in the U.S. also warned parents to steer clear.
“Like the Plague”
They found problems in more than 50 different watch brands, leading to more than a million vulnerable kids.
“Our advice is to avoid watches with this sort of functionality like the plague,” wrote Stykas in January. “They don’t decrease your risk, they actively increase it.”
Both Munro and Hunt urge parents to take caution with connected stuff for your kids, from tablets to smart stuffed animals to other toys, like the My Friend Cayla doll that Munro said has big security flaws.
“This particular kids’ doll has no security on its Bluetooth connection, which means that anyone in the street outside, your neighbor next door, someone driving past on the street can listen to your kids and speak to them through a kid’s doll,” Munro said to Archer News. “That really, really bothers me. People can use smart tech to creep on our kids.”
Pen Test Partners offered advice for parents after finding last year’s wave of kids’ tracker watch security flaws.
As for Elle, Hunt said he explained the hacking test before the fake father call, so she was unfazed by the experiment.
Would Hunt buy the watch for his children to use?
“Absolutely not. The only reason I did it was to test it,” he said.
“I’m hoping I can get my money back now,” he added with a grin.
Main image: Elle with TicTocTrack kids’ tracker watch. Image: Troy Hunt