Executive summary
As part of a recent IoT hacking training exercise, a number of Rapid7 penetration testers set out to identify vulnerabilities in a number of children's GPS-enabled smart watches under the guidance of IoT Research Lead Deral Heiland. Three different brands of watches were purchased from Amazon: Children's SmartWatch, G36 Children's Smartwatch, and SmarTurtles Kid's Smartwatch. During the investigation, it was determined that all three products shared nearly identical hardware and software, so all of the described findings affect all three watches.
While only one of these issues is a technical vulnerability—the lack of functional SMS filtering—two other issues were identified that were at least equally troubling: an undocumented default password used to associate with the devices, and a lack of transparency and communication with the retail vendors of these devices.
A lack of vendor visibility
Setting aside the technical issues for a moment, the most pressing and difficult issue to address seems to be the lack of information about the companies selling these devices and the lack of an avenue to contact them. For two of the devices, the vendors appear to exist solely as Amazon storefronts, and attempts to contact these vendors privately proved impossible. The third, SmarTurtles, does have an associated website, but there appears to be no mechanism to contact this vendor, nor is there a published privacy policy.
Consumers who are concerned with the safety, privacy, and security of their IoT devi ..
Support the originator by clicking the read the rest link below.
){kind=link}