My Gator Watch
Gator watch range by TechSixtyFour was found to reveal live location of thousands of children
Parents buying smartwatches for their children might think they are doing the right thing, as these devices help them keep an eye on their kid's location without entrusting them with a pricey, addictive, and easily-broken smartphone.
But security researchers have found gaping holes in the security of a popular range of these kid-friendly wearables. Called Gator, the portfolio of smartwatches is produced by a company called TechSixtyFour and intended for children aged five to 12. Back in 2017, the device range was called out on security flaws discovered by the Norwegian Consumers Council.
Some retailers removed Gator watches from sale as a result of the findings.
Just over a year later, researchers from UK-based Pen Test Partners (PTP) decided to revisit the Gator watch range and see what improvements had been made. Unfortunately for TechSixtyFour - along with the parents who bought the watches and children that wear them - the news is not good.
"Guess what: a train wreck." PTP said in a post on its website in late-January. PTP went on: "Anyone could access the entire database, including the real time child location, name, parent details etc. Not just Gator watches either - the same backend covered multiple brands and tens of thousands of watches."
PTP found the location and personal information of 35,000 children and their parents could be viewed through the watch's online portal by anyone with basic cybersecurity knowledge. This is because the system could be manipulated by anyone to give them full administrative access.
Gator watches had received positive reviews from the technology press in 2017. Their ability to help parents keep in contact with their children without buying them a mobile phone was applauded, along with their GPS tracking abilities.
PTP contacted China-based TechSixtyFour on January 11 to inform them of the severe flaw, asking that the problems be fixed within a month, at which point they would publicly announce their findings.
TechSixtyFour, according to PTP's blog post, requested two months to address the problem, as it was close to Chinese New Year. "We were really disappointed by this request, given the sensitivity of the data involved," PTP said.
The watches are intended for children aged between five and 12My Gator Watch
A fix was then made, and PTP validated that the system was secure as of January 16.
PTP adds, before the fix: "We discovered 20,000 accounts on the system, with 35,000 devices affected. This isn't good. Given TechSixtyFour's flawed security history we would have thought that a thorough security review would have be [sic] undertaken immediately after the findings of the Norwegian Consumer Council were published last year."
Weak security in devices like these is unfortunately a common problem. Whether it be an internet-connected fish tank thermostat giving hackers access to a casino's database, a child's toy being compromised by hackers able to listen through its microphone, or a robotic vacuum cleaner having its camera compromised, such incidents are widespread.
A report in late-2017 claimed over two-thirds of consumers fear of internet-connected devices being hacked. As the Internet of Things grows, the number of potential targets - targets often with weak or broken security - is going to increase.
PTP added: "We keep seeing issues on cheap Chinese GPS watches...As this product is used by children, its security should be tested regularly and thoroughly...The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security."
Summing up, the security researchers said: "Our advice is to avoid watches with this sort of functionality like the plague. They don't decrease your risk, they actively increase it."
Colleen Wong, founder of TechSixtyFour, told GearBrain: "At Techsixtyfour, the security of our product, My Gator Watch, is of paramount importance. Our business follows all IoT security industry standards and best practices as set out by the IoT Security Foundation.
"Since 2017, we have hired a reputable London cyber security firm with industry accepted qualifications to do annual full penetration tests as part of our ongoing commitments to security along with monthly automated vulnerability assessments. We have completed our most recent pen test on Jan 30, 2019."
The statement continued: "We appreciate Mr Munro of Pentest Partners disclosing this vulnerability to us, and our team have taken this seriously as our fix was completed within 48 hours. An internal investigation of the logs did not show that anybody had exploited this flaw for malicious purposes.
"In this instance, Mr. Munro gave only a cursory description of the security flaw to resolve this vulnerability before he would disclose it in 30 days time. Our technical team took this high level description, and implemented a partial fix within 12 hours. They then identified the root cause and deployed a full fix within 48 hours of the notification. This process could have been expedited if Mr Munro had shared the low level details of the vulnerability, as we requested and as per the vulnerability disclosure policy of Mr. Munro's organisation."