Researchers note about the popular smartwatch tracker vulnerability that can be used to hack devices and send medication alerts
Particular API issues reported because hackers can possibly exploit these flaws to spy on users, make calls, send messages, and request alerts that encourage people to take medications. Since this last function is popular among forgetful or even elderly people hackers can take control of the device and easily trigger any function needed.
The company in the UK – Pen Test Partners found that the smartwatch can be triggered into sending alerts “take pills”, so the reminder tricks person to take medication when he or she already took the needs pills.
An overdose could easily result.
Dementia patients and other people that need to be taken care of can suffer from serious damage to their health. Caregivers rely on such devices and smart functions, so the location of a person they care for can be tracked, all the medication taken in time anywhere since smartwatches work on cellular connection mainly.
Flaws found in back-end cloud system
The SETracker system that is known to power the smartwatch was found vulnerable. This cloud system powers millions of smartwatches and vehicle trackers in Europe, so all of them are vulnerable to hacks. The copy of the source code was analyzed, and researchers could have analyzed the piece to find these flaws.
One of them was reported to be especially crucial because if the flaw gets exploited the attacker can send commands to the remote server and control any of the targeted devices remotely. When experts managed to look into possible functions they revealed that once flaws get used it possible to:
- make calls;
- send messages;
- spy on the device;
- trigger the camera;
- send TAKEPILLS message commands;
- kill the car tracker engine.
Public source code revealed information from the SETracker cloud storage
The code that was investigated also had tokens and passwords to SETracker's cloud storage. Unfortunately, researchers couldn't have looked deeper into it due to legal issues. The investigators note that the database was not accessed, so they couldn't view any credentials or pictures uploaded by users.
Since the SETracker service can be hijacked, accessing the full control of the device is not the only issue since viewing the following data is possible:
- email credentials.,
- Mysql passwords;
- SMS credentials;
- Redis details.
- IP addresses;
- services of 16 servers;
- the entire source code for the SETracker server.
The data that can possibly get leaked or exposed concerns these researchers:
The source code indicated that this bucket was where ALL the pictures taken by devices are sent. We have not confirmed that. Given the use case of these devices is predominately children's trackers it is extremely likely these images will contain images of children.
This was not the first finding from the same team since Pen Test Partners disclosed similar vulnerabilities in widely-used child smartwatch devices. Millions of GPS-tracking devices used by parents who want to keep track of their children. These smartwatches leaked location details, exposed voice recordings of those kids.