The apps, created by China-based 3G Electronics, tell millions of vulnerable users when to pick up their tablets or complete certain tasks. It has also been used to interact with smartwatches and GPS vehicle tracking devices for children. [However, researchers warn that the SETracker application has serious security flaws that could allow hackers to access millions of smartwatches used by dementia patients.
They say: "The SETracker platform supports in-car trackers, including both car and motorcycle trackers, often embedded in audio head units, and dementia trackers for elderly relatives. The discovered vulnerabilities could potentially control all of these devices.
Pentest Partners also captured video of their proof-of-concept exploit in action. [As a result, they were able to make calls, send messages, spy on devices, send fake messages, stop car engines, access cameras, etc.
However, one activity that can have potentially life-threatening consequences is instructing vulnerable users to take drugs.
The researchers warn: "These watches are not only marketed to children. Many are used for elderly relatives or family members with dementia"
.
"Sending a command to the watch that says 'TAKE PILLS' on the screen is trivial and could result in a dementia patient 'overdosing' on medication, which could be life threatening."
The researchers were also able to view the source code of the app. As a result, hackers had access to:
The vulnerabilities were fixed after Pen Test Partners alerted the app makers to these flaws.
Pen Test Partners confirmed: "We contacted 3G Electronics and asked them to shut down their API.
"To our surprise, within 4 days of the initial disclosure, 3G Electronics had modified the server-to-server API by restricting it to certain IPs.
Devices like smartwatches are often affected by security flaws and subsequently targeted by hackers. Users are advised to create unique passwords for app credentials, purchase only reputable devices, and make sure their apps are up-to-date.
Comments