The peace of mind parents get with child-tracking smartwatches has been turned upside-down. A cloud-based security flaw has been allowing unauthorized people to monitor children’s locations, as reported on Wednesday (Dec. 18).
According to research conducted by Pen Test Partners, any hacker can access information about the real-time GPS location of children wearing a smartwatch or carrying a GPS tracker powered by ThinkRace safety tracking services. The Chinese company uses Amazon Cloud to supply location services to some eight million devices.
Pen Test Partners conducts penetration tests to determine whether a device offers adequate security. The company discovered that ThinkRace devices not only revealed location data, but can also eavesdrop, snoop and record conversations. It even displays a photo of the location “without needing to authenticate to the correct API account,” said Vangelis Stykas, a security consultant at Pen Test Partners.
Researchers this year have discovered numerous vulnerabilities in a range of child-tracking smartwatches. The new research shows that nearly all smartwatches for children had security flaws due to a common shared cloud platform.
The platform stores and retrieves data, and works as a backend system for ThinkRace devices. ThinkRace is one of the largest manufacturers of location-tracking devices. In addition to selling its own smartwatches, the company also sells its tracking devices to third-party businesses, which repackage and relabel the devices with their own branding.
“All of the devices made or resold use the same cloud platform, guaranteeing that any white-label device made by ThinkRace and sold by one of its customers is vulnerable,” according to the article.
Ken Munro, founder of Pen Test Partners, told the news outlet that their research discovered at least 47 million vulnerable devices. “It’s only the tip of the iceberg,” he said.
Munro said ThinkRace has over 360 devices, but many are branded differently. “Often the brand owner doesn’t even realize the devices they are selling are on a ThinkRace platform,” he pointed out.
Cloud platforms are “a common point of failure,” researchers said. Anyone with basic knowledge about a device can gain access to multiple devices at the same time, because account numbers are not randomized.