An exclusive report from TechCrunch says that over 47 million connected devices, including GPS smartwatches marketed toward children, are vulnerable to hacking due to major flaws in the cloud platform that supports the devices.
Earlier this year, researches found that a number of children’s smartwatches sold on Amazon and manufactured by the same White Label company contained several vulnerabilities that could allow anyone to access the devices and communicate with the wearer.
One discovery of the investigation was that the SMS filter — meant to allow only authorized numbers (usually the parents of the wearer) to communicate with a smartwatch — was inactive, meaning anybody could access it and obtain data including the wearer’s location.
The report says that a major flaw in the cloud platform was discovered that not only exposes location data but also voice communications that were recorded and stored in an unsecured database.
The cloud platform in question is developed by Chinese White Label electronics maker Thinkrace, one of the largest manufacturers of location-tracking devices in the world and the maker of several of the children’s smartwatches that have been found to be vulnerable to hacking.
Ken Munro, the founder of Pen Test Partners, the group that conducted the study, said that they found at least 47 million vulnerable devices and that “this is only the tip of the iceberg.”
Munro also found that Thinkrace makes more than 360 connected devices that are often rebranded and resold by other retailers.
“Often the brand owner doesn’t even realize the devices they are selling are on a Thinkrace platform,” said Munro.
The devices interact with Thinkrace’s cloud platform either directly or via a web domain operated by the reseller, and Munro’s team found that most of the commands that control the devices don’t require any authorization, allowing anyone with knowledge of the control points to gain access to the location data and voice recordings gathered from the devices.
It isn’t just children’s watches that are affected by these vulnerabilities. Thinkrace provided 10,000 smartwatches for athletes at the Special Olympics, which exposed them to having their locations tracked as well.
Source: TechCrunch, Rapid7