Australian cyber security expert Troy Hunt has expressed frustration at the seemingly persistent refusal of smart device manufacturers and distributors to take seriously the potential security flaws in the products they make and sell.
Working with UK-based penetration testing collective Pen Test Partners, Hunt helped to uncover purported security flaws in the TicTocTrack GPS tracking smartwatch for children, the primary product offering by Australian company iStaySafe, founded by CEO Karen Cantwell.
TicTocTrack claims on its website that its software platform allows users to monitor their child from “anywhere in the world”.
The company temporarily suspended access to its service on 15 April after security flaw concerns were raised by Hunt and Pen Test Partners. On the same day, it issued a notice to users that it had temporarily restricted access to its service as it worked to confirm the validity of the security flaws flagged by the researchers and to fix them.
According to the cyber security researchers, the TicTocTrack watch hardware is produced by Gator, the company that came under the scrutiny of the Norwegian Consumer Council as early as 2017 due to security issues.
“Strangers can easily seize control of the watches and use them to track and eavesdrop on children,” the Council said in an online post, dated 18 October 2017, referring a number of smartwatches for children, including a model by Gator.
Now, well over a year later, the issues with Gator-made GPS connected smartwatches appear to have lingered, this time in the form of TicTocTrack’s product offering in the local market.
According to Hunt, Pen Test Partners’ security researchers were able exploit vulnerabilities to make it look as though the wearer of the watch was in an entirely different location and to allow an unauthorised person to call the watch and speak to the child wearing the device, among other things.
“By using either the app or directly accessing API [application programming interface,] you can access, manipulate and delete anyone’s data and snoop and [two-]way communicate with any watch,” Pen Test Partners security consultant Vagelis Stykas said in a blog post.
“All in all we can see that the developer of the backend took no consideration into authorizing any of the requests, and cared only that the application was working effectively, leaving all the data available to access and manipulate.
“This is unacceptable for a product that is supposed to keep children secure and a trend that we constantly see in the IoT market that products are rushed to the market,” he said.
According to Hunt, the development of the app for the TicTocTrack service was outsourced to Sri Lankan software development company Nibaya. This is an important point, as it underpins one of Hunt’s major gripes about the apparent ongoing lack of attention to security by those who make connected devices and the systems that tap into them.
“I’ve been involved with a bunch of really poorly implemented “Internet of Things” things in the past that presented serious privacy risks to those who used them,” Hunt said in a blog post.
“What’s infuriating about this situation is that not only do these egregiously obvious security flaws keep occurring, they’re just not being taken seriously enough by the manufacturers and distributors when they do occur,” he said.
While the discovery of the TicTocTrack vulnerabilities are likely to raise immediate concerns for consumers and their children in the local market, it is perhaps Hunt’s frustration with the ongoing carelessness with which device manufacturers and distributors view security considerations when they build and sell their products.
And, perhaps most disturbingly of all, it is those products targeted at children and their parents that seem to be among the worst offenders when it comes to failing to meet even basic security requirements to protect their users.
Indeed, in his wrap-up of the TicTocTrack research, Hunt mirrored Stykas’ comments about the particularly worrying trend of security issues popping up in products intended to keep children secure.
“A huge number of both the devices and services I see being marketed either directly at kids or at parents to monitor their kids are absolute garbage in terms of the effort invested in security and privacy,” Hunt said.
Hunt mentions, in passing, the likes of VTech, CloudPets, mySpy, SpyFone and Mobiispy in his blog. And who can forget the string of vulnerabilities that have been found in dozens of connected baby monitoring devices over the past several years?
“I want to finish on a broader note than just TicTocTrack or Gator or even smart watches in general; a huge number of both the devices and services I see being marketed either directly at kids or at parents to monitor their kids are absolute garbage in terms of the effort invested in security and privacy,” Hunt said.
“These products are simply not designed with a security-orientated mindset and the development is often outsourced to cheap markets that build software on a shoestring,” he said.
It should be noted that the researchers were keen to stress some of the things that TicTocTrack did right when notified of the security vulnerability, most notably, restricting access to the service within one business day of being notified of the flaws and alerting users of the issues as soon as practicable.
“This is yet to be confirmed as an issue beyond the penetration testing conducted by Ken Munro [from Pen Test Partners],” Cantwell said in a statement, according to a report by The Sydney Morning Herald.
TicTocTrack had not responded to Telecom Times’ queries at the time of writing.