The security flaw could allow a stranger to stalk a child with the device.
TicTocTrack, a popular GPS tracking smartwatch for children in Australia, has been found to have security flaws that could potentially allow hackers to track and call children.
The researchers found that the watch’s services could be easily compromised.
Computer researchers at Pen Test Partners discovered vulnerabilities in the watch on Monday. The researchers found that the GPS tracking smartwatch, which has been sold in Australia since 2014, could allow hackers to view personal data on the user’s account, track children’s location and even spoof the child’s location.
The researchers learned that the service’s back end does not make any authorization attempt on any request, beyond requiring the user to have a valid username and password combination. Therefore, an attacker who is logged into the service could remotely compromise the smartwatch app and track other accounts based in Australia.
Vangelis Stykas, a Pen Test Partners researcher said in an analysis that overall it was found that the developer of the TicTockTrack device was more concerned that the application effectively worked than they were concerned about its security. As no requests require authorization, this leaves the data available for access and manipulation.
“This is unacceptable for a product that is supposed to keep children secure and a trend that we constantly see in the IoT market that products are rushed to the market,” Vangelis said, reports Threatpost.
Access to the GPS tracking smartwatch services has temporarily been disabled while the security flaw is investigated.
For now, iStaySafe Pty Ltd., the parent company of the TicTocTrack device, has temporarily disabled access to the wearable’s service and app while the issue is investigated further.
That said, the company has said that there has never been a security breach that resulted in their customers’ personal data being used for “malicious purposes.”
“Our team are constantly working to improve our software and make it as safe as possible for our users. As soon as a full technical assessment has taken place, conducted by a trusted, reputable and accredited penetration testing service, we will be releasing a transparent report which will detail what security issues were apparent, what steps we are taking and when,” iStaySafe told Threatpost.
The GPS tracking smartwatch is made by Gator Group (A Chinese brand that has had watch privacy issues in the past) and its complementary mobile app has been developed by Nibaya. The smartwatch has been specifically designed for children and uses GPS to track their movements every six minutes as well as has voice calling and SMS features.