Researchers have uncovered a number of serious security issues in a smartwatch tracker used in applications, including services designed to support older and vulnerable people.
On Thursday, cybersecurity experts from Pen Test Partners revealed safety issues found in SETracker, software aimed at children and the elderly - especially people with dementia or people who need reminders to complete their daily tasks. such as taking medication.
The GPS tracker app can be used in conjunction with a smartwatch, and in turn, users can use the system to make a call if they need help.
However, the safety flaws in the product showed that it was not just the caregivers or loved ones who could monitor the movements or activities of a user.
Supplier software, of which there are now three versions of mobile applications, often runs on background cheap smartwatch offered by various brands. SETracker is also available in headphones and car software.
According to Pen Test Partners, the first major security issue was the discovery of an unlimited "server to server API". The server could be used to violate the SETracker service in ways that involve, but are not limited to, change passwords devices, realization calls, send text messages, monitor and access cameras built-in devices.
If a screen support system is based on SETracker, it was possible to send fake messages, including "TAKEPILLS" commands, which are set to remind users to take their medications.
"A person with dementia is unlikely to remember that he has already taken his medication," the researchers said. "It simply came to our notice then.
The researchers also found the source code software, which was accidentally made public through a compiled node file hosted on the internet as a backup security.
"The source code showed that this bin was where all the photos taken by devices were sent. But it has not been confirmed ", says Pen Test Partners. "Since these devices are mainly used by children, it is very likely that these images contain images of children."
It is also not known if any of the security issues have been exploited by a hacker.
Pen Test Partners revealed its findings to 3G Electronics on January 22. The company did not respond until 12 February. Triage then went on to reveal the server's vulnerabilities API on February 17, which were fixed a day later.
On May 20, the researchers reported the problem of the node to the supplier, and on May 29, 3G Electronics confirmed that the file had been removed and that all passwords had been changed.