Child-tracking Smartwatch locations were exposed online due to flaws in Chinese Technology company’s ThinkRace cloud platform. This is a large security incident in which the security of millions of children could have been placed at risk.
Why Parents Use Child-Tracking Smartwatches
Parents buy their children Smartwatches with tracking functionality to ensure they stay safe and for their own piece of mind. With these Smartwatches parents can monitor their children’s whereabouts.
Some Smartwatches also have walkie talkie type functionality that allows children to communicate with their parents while they’re out. Other Smartwatches even notify parents if their child goes beyond a certain predefined distance from home.
However, parents’ sought-after peace of mind must undoubtedly be shattered after yesterday’s reports that they are not the only ones able to track their children via their ThinkRace Smartwatches.
Who Is ThinkRace?
ThinkRace is a Chinese technology company and one of the largest manufacturers of location tracking devices. They make more than 360 different types of devices, mostly watches and other trackers.
Moreover, ThinkRace sells white-label devices to third-party businesses. These businesses then repackage and relabel devices with their own brands before selling them to consumers as their own. This makes it difficult to ascertain who the actual manufacturer of a Smartwatch is.
ThinkRace Child-Tracking Smartwatches Flaws Explained
The problem with ThinkRace Smartwatches, and their other tracking devices, is the ThinkRace cloud platform that underpins them. The platform works as the backend system for all ThinkRace made devices. It stores and retrieves location, voice and other device data.
The flaws in the ThinkRace platform were uncovered by researchers at Pen Test Partners. The researchers learnt through their investigations that all the Smartwatches interacted with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller. Consequently, the researchers concluded that the ThinkRace cloud platform was the common point of failure.
No Authentication Required
They discovered that the commands that control the Smartwatches don’t require authentication. Furthermore, these commands are well document. This allows anyone with basic knowledge of the Smartwatches’ workings and access to the internet to break into the devices.
Once access has been gained, attackers have access to real-time GPS location information of children wearing ThinkRace made Smartwatches. This allows the children to be tracked by individuals other than their parents, thus placing their security at risk.
Furthermore, as there is no randomization of consumer account numbers, the researchers also found they could access many Smartwatches simply by increasing each account number by one.
ThinkRace Smartwatches Difficult to Identify
The lack of clarity around Smartwatch manufacturers, causes difficulties for consumers wishing to buy Smartwatches for their children. Consumers can’t be sure that the product they are buying for their child is not an unsafe ThinkRace Smartwatch.
Not all manufacturers, as ThinkRace has proven, take the necessary security precautions to protect the privacy of the data they collect. This is likely to be especially the case when it comes to low cost devices like Smartwatches.
Number of Smartwatches Affected
All these flaws greatly undermine the Smartwatches’ security and are putting children’s lives at risk. The devices affected are not just a few thousand. Researchers found that at least 47 million devices are affected. That is at least 47 million children who are at risk.