Investigation provides further proof that parents shouldn’t blindly trust the security of IoT devices
Once again, a child-monitoring gadget has been found to be vulnerable to hackers, leaving 14,000 children open to location tracking, phone calls from strangers, and more.
MiSafes’ Kid’s Watcher Plus allows parents to track their children’s whereabouts using GPS and a 2G mobile data connection. Parents can listen in to what their child is doing, initiate two-way phone calls and create a ‘safe zone’, alerting them if the child leaves a predefined area.
The device has been on sale for three years. But it was only when a friend of Pen Test Partners’ Ken Munro bought one that he thought he’d check out its security. And what he found was extraordinary.
“I proxied the iOS app through Burp and could see that the traffic was not encrypted,” Munro wrote in a blog post last week. “Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children.”
“Profile pictures, names, gender, date of birth, height, and weight, all transmitted across the internet in cleartext.”
Hackers would be able to access the remote listening facility, track the child’s location and make phone calls that appeared to be coming from an authorized party.
It’s far from the first time that a child monitoring device has been shown to be wide open like this.
This time last year, a report from the Norwegian Consumer Council revealed that four kids’ smartwatches were similarly vulnerable. And MiSafes itself has form, with its Mi-Cam baby monitors revealed earlier this year to have been riddled with security vulnerabilities.
“Be cautious with any kids GPS tracker watch – ask the manufacturer for evidence that their watch is secure," Munro tells The Daily Swig. “If they can’t provide it, don’t use it.”
There are moves internationally to improve the security of IoT devices – but, crucially, they depend on the cooperation of vendors. It’s notable that MiSafes is steadfastly ignoring calls and emails from journalists and security researchers.
“Unfortunately, many manufacturers of these devices are more concerned with getting a minimally viable product to market than whether or not it is secure. As a result, many IoT devices expose their owners to significant risks,” comments John Sheehy, vice president of strategy at security firm IOActive.
“The proliferation of IoT devices with poor security posture has increased the attack surface for threat actors dramatically, and the industry’s disregard for security should be a concern for both consumers and businesses.”