Tens of thousands - possibly several hundred thousands - of kids can be tracked via their Gator and Caref watches.
Published: | Wed, October 18, 2017, 14:55 |
Updated: | Fri, March 30, 2018, 09:30 |
Category: |
Security
|
Tags: |
Security Monday
Information leak
Internet of Things
#WatchOut
|
Gator Watch - a GPS watch for kids - is leaking data in all ends and anyone on the Internet can live track your kid. We're not talking about a security vulnerability, we're talking about non-existing security.
Who: | Gator Watch |
Severity level: | Critical |
Reported: | August 2017 |
Reception and handling: | Poor |
Status: | Not fixed |
Reward: | A thank you |
Issue: | Anyone can track any watch, listen to voice messages, fake location, etc. etc. |
I bought a Gator 2 smartwatch for my kid after reading some reviews about different watches. The concept was pretty good, but how good was the security?
The company behind Gator Watch claims to have sold more than 300,000 watches. As far as I can understand they are all trackable for anyone on the Internet.
I reported the issue in the start of August and was giving the vendor 90 days to fix the issues, so I was planning to publish this post in the start of November, but suddenly this case was all over the news.
The Gator watch is some places branded as Caref GPS Phone Watch. I'm not entirely sure if this is the same as the Gator 1 watch or if it's also Gator 2.
Looking back at this issue I really started in the wrong end. The biggest issues was so easy to spot without being very technical.
Playing with the watch and the config I saw that it's possible to set up which server the watch connects to..
First I tried connecting to the Gator Watch server via telnet trying to send HTTP commands. That failed, and I tried a couple of other commands, but the remote server just closed the connection on me.
Then I set it up to my own router's IP address, added a port forwarding to my machine where I was running a very simple Python script printing whatever came my way. I configured the watch to use my IP, and surely it started sending simple strings with stuff like IMEI, positions, battery level, etc. It kept the connection open. The connection was not encrypted and there was no type of session ID or token or anything. It always used the IMEI as the identifier. This was pretty shocking.
The quick-and-dirty Python script I hacked together to listen to the watch:
#!/usr/bin/env python import socket TCP_IP = '0.0.0.0' TCP_PORT = 17015 BUFFER_SIZE = 20 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((TCP_IP, TCP_PORT)) s.listen(1) conn = None try: conn, addr = s.accept() print 'Connection address:', addr while 1: data = conn.recv(BUFFER_SIZE) if not data: break print "received data:", data #conn.send(data) # echo except KeyboardInterrupt: print '\nBye bye :)' finally: if conn is not None: conn.close() if s is not None: s.close()
I sent some of the commands I got to the Gator Watch server via telnet, and now it kept the connection open. This way one can easily spoof the position of anyone as long as you have the IMEI.
Here's some of the data received from our watch to my fake server (I've randomized the data and removed some newlines):
received data: (45353IMEIHERE416P02,GT03.V10.20170303,7,23201) received data: (45353IMEIHERE416P02,G,160805A6027.0330N00512.3931E000.41058310.00,6) received data: (45353IMEIHERE416P02,G,160805A6027.0352N00512.3879E001.411000074.23,6) received data: (45353IMEIHERE416P02,0,1,160805,220200,5) received data: (45353IMEIHERE416P02,0,1,160805,220200,5)
The data contains the software version, IMEI, time, location method (GPS vs Wi-Fi), location coordinates, battery left.
Sending the data to thet server you can get back who is allowed to call the watch. Like
#555-2368#Dad. So that makes it pretty easy to identify the family of the child.
Just as in my first case I set up Charles as HTTP+HTTPS proxy to listen to the communication between the Gator Watch server and Gator Watch app. I was shocked to see that there is no encryption between the server and the app.
What's more is that the app and server used an incremental integer as ID for the watch. I could - and still can - just change the ID and get the posisition of any other watch. And it didn't stop there. I could - and still can - easily download the voice messages left by any child or their parent. I changed the ID and got the position of a kid in Sweden. I only downloaded one other voice message, and it was appearantly from a Swedish parent sending some sort of first test message to his kid.
I downloaded the APK for the Android app and decompiled it. It was an hybrid Angular app. Again, there was no signs of the app using https for anything. The JavaScript source code gave away addresses to other servers and I found a URL with a what looks like an admin interface.
Being an Android developer I work most days with the phone's system log on the screen. What I didn't see until after I found out of everything, is that the Gator app actually constantly logs the URL which you can just open in your browser and change the integer ID in and get the position of any child wearing the watch.
The issues I saw were these:
Saturday evening I sent an e-mail to customer support of Gator Norway explaining the issues.
Tuesday morning I got a reply thanking me for sending them the information. They would check this out as soon as possible. And "We want our watch to be safe for both children and parents!"
Without my knowledge The Norwegian Consumer Council and security company mnemonic started their own testing of different smartwatch brands sold in Norway - among them the Gator 2 watch.
I asked for a status on the issue.
They used 3 weeks to get back to me, and told that it "would take some time" to fix this. I can understand that adding security on a completely broken system isn't done very easily. They also said that the Gator 3 Watch and Gator 3 app is already secured.
The Norwegian Consumer Council suddenly broke the news about security issues in smartwatches for children (Norwegian article) - among them Gator Watch. BBC also brought the news. (English article) This is when I decided to write this post with the technical details and all. There was no reason to wait the normal 90 days when this is out. It's important that as many people as possible is told about this.
If you ask me this is as bad as it can get. As a parent you want your kid to be nothing but safe. And when you buy a product like this you expect to make them more safe. But what happens is that you put your child at risk. Any predator can track your kid, and even start see patterns in when a child usually goes to e.g. school or after-school activities. It would even be possible to fake the position of the child, tricking parents to believe everything is fine or that their child is somewhere else than they are looking for him/her.
As a developer I just cannot understand how a product like this can end up on the market. Any developer involved in the project on any level would know that this is a really bad product. It's not like anyone mistakenly has screwed up. No one has cared to add any layer of security.
If your child is using Gator Watch I would recommend you stop him or her from doing that. Now.
For those of you wanting to go even deeper I would recommend the solid report by Norwegian Consumer Council and mnemonic (PDF, English, 49 pages). They also cover some other brands, go into more privacy issues and show how they did the technical tests.