Australian security researcher Troy Hunt has just reported major security flaws in the popular TicTocTrack Watch used by Australian parents to track their children.
Hunt and Ken Munro from Pen Test Partners discovered that the TicTocTrack Watch was simply a rebranded Gator tracking watch.
This type of child tracking watch has been judged by German regulators to be so flawed that they suggested parents destroy the watches and stop paying for subscriptions:
German parents are being told to destroy smartwatches they have bought for their children after the country’s telecoms regulator put a blanket ban in place to prevent sale of the devices, amid growing privacy concerns.
The details in this story are truly disturbing. With relative ease, researches were able to:
- Modify the reported GPS location of watches, making them appear to be somewhere they weren’t (i.e. you lose your kids)
- Modifying watch data to add unknown contacts to the watch (i.e. masquerading as a parent or trusted adult)
- Making the watch auto-answer calls from third parties so they can monitor your child’s surroundings
Most disturbingly, researchers were able to get the precise GPS coordinates of these watches, and thus the kids wearing them. Combine this with the other features above, and it’s a miracle that someone’s kid hasn’t been kidnapped.
These watches sound like an unmitigated disaster, and absent some significant development work making the software at least ANY more safe, we could only reiterate the recommendation of regulators overseas – if you’ve got one of these devices, destroy it and throw it out.
For more detail about the multiple security flaws found in the TicTocTrack (Gator) watches read Troy Hunts blog post.
Such a critical security failing really needs a national recall campaign to be carried out by the federal govt.