IoT Vuln Disclosure: Children’s GPS Smart Watches (R7-2019-57)

Executive summary

As part of a recent IoT hacking training exercise, a number of Rapid7 penetration testers set out to identify vulnerabilities in a number of children’s GPS-enabled smart watches under the guidance of IoT Research Lead Deral Heiland. Three different brands of watches were purchased from Amazon: Children’s SmartWatch, G36 Children’s Smartwatch, and SmarTurtles Kid’s Smartwatch. During the investigation, it was determined that all three products shared nearly identical hardware and software, so all of the described findings affect all three watches.

While only one of these issues is a technical vulnerability—the lack of functional SMS filtering—two other issues were identified that were at least equally troubling: an undocumented default password used to associate with the devices, and a lack of transparency and communication with the retail vendors of these devices.

A lack of vendor visibility

Setting aside the technical issues for a moment, the most pressing and difficult issue to address seems to be the lack of information about the companies selling these devices and the lack of an avenue to contact them. For two of the devices, the vendors appear to exist solely as Amazon storefronts, and attempts to contact these vendors privately proved impossible. The third, SmarTurtles, does have an associated website, but there appears to be no mechanism to contact this vendor, nor is there a published privacy policy.

Consumers who are concerned with the safety, privacy, and security of their IoT devices and the associated cloud services are advised to avoid using any technology that is not provided by a clearly identifiable vendor, for what we hope are obvious reasons. The lack of a privacy policy is especially troubling in this age of CCPA and GDPR, and doubly so when it comes to technology marketed to parents of small children.

With that said, the rest of this blog post describes the products and the two remaining technical issues.

Product description

All three models of GPS watches use either SETracker or SETracker2 as the backend cloud service and mobile application for the iPhone and Android platforms. Both versions of SETracker are provided by the developer “wcr.” The application indexing service AppBrain indicates that wcr is the developer account associated with 3G Elec, a Chinese company based in Shenzhen. As far as the hardware is concerned, all three devices appear to be white-label rebrands of 3G Elec’s offering.

As noted above, none of the retail vendors were identifiable or contactable. While an email address was identified for 3G Elec, attempts to contact and discuss these issues were foiled by technical issues with that email address. The first attempt generated a bounce message indicating another email address as the correct contact, and that second address generated a bounce message indicating the storage limit for that address had been reached.

Findings

Aside from the communications issues described above, two technical issues were uncovered across the three GPS smart watches:

Finding 1: SMS filter bypass vulnerability

The products under test have a SMS-based interface to view and change configuration details by texting the watch directly with certain commands. The documentation states that only certain configured numbers may communicate with the watch, and those numbers are entered on a whitelist on the associated mobile app. However, in practice, this filter did not appear to be functional at all—unlisted numbers could also interact with the watch.

Incidentally, SMS filtering is a weak control even in the best of circumstances, as this originating phone number is trivially spoofable, and is therefore not recommended as a security control.

So, armed with the knowledge of a watch’s assigned phone number and the configuration password (see Finding 2), unauthenticated attackers can read and write configuration details, up to and including pairing the watch with the attacker’s own smartphone.

Finding 2: Undocumented default password

The watches have a default configuration password of “123456” and each of the three watches under test treat this information differently. One manual does not mention the password at all, another mentions it in a translated blog about the product (but not in the printed material), and a third doesn’t characterize the string as a password nor provides any instruction on how to change it.

Exploitation and mitigation

Given an unchanged default password and a lack of SMS filtering, it is possible that an attacker with knowledge of the smart watch phone number could assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent).

Unfortunately, there does not appear to be any mechanism to address the SMS filtering issue without a vendor-supplied firmware update, and such an update is unlikely to materialize given that the provider of these devices are difficult to impossible to locate.

With this in mind, current users of these devices who wish to continue to use the device are urged to investigate how to update the SMS control password. Unfortunately, this process can be different per device, and the documentation can be difficult to locate.

Credit

These findings were discovered and reported by Shane Young, Carlota Bindner, Trevor O’Donnal, and Deral Heiland, all of Rapid7.

Disclosure timeline

• November 2019: Initial findings documented
• Tuesday, Nov. 19, 2019: First attempt at contacting 3G Elec, the upstream vendor
• Wednesday, Dec. 11, 2019: Public disclosure (planned)