Security researchers discovered a series of significant security problems in a smartwatch system that is used in applications like programs intended to help the elderly and vulnerable people.
On Thursday, Pen Test Partners‘ cybersecurity experts reported security issues discovered in the SETracker app, children- and elderly-oriented apps — particularly those with dementia or individuals who need reminders to perform everyday activities, such as taking their medicine.
The GPS tracking software is used by carers to locate their charges in tandem with a smartwatch, and in effect, wearers can use the device to make a call should they need assistance.
The SETracker app from the Chinese developer 3 G Electronics, deemed necessary to use watches, is accessible on iOS and Android and it has been downloaded over 10 million times.
Security breaches in the product however intended that it’s not only carers or loved ones who could keep track of the movements or activities of a wearer.
The vendor’s software, where there are now three types in smartphone devices, is mostly included in the backend of inexpensive smartwatches from different brands on sale. SETracker can also be used in helmets and the automobile tech market.
The first big security problem, Pen Test Partners said, was the detection of an unregulated server to server API. The software may be used to hijack the SETracker program in ways that include, but not limited to, modifying computer keys, making calls, sending text messages, tracking and viewing computer-embedded cameras.
If the back – end system of a monitor is based on SETracker, fake messages such as “TAKEPILLS” commands could be sent, which also are set up to tell wearers to take their meds.
The researchers even came across the source code of the program, which was inadvertently made open to the public via a compiled server file hosting online as an insecure backup.
In the source scripts, server-side code, MySQL keys, addresses, SMS and Redis codes, and a hard-coded password — 123456 — is possible to display. A website that housed photographs of users was also available for harassment.
On 22 January, Pen Test Partners released the results to 3G Electronics. It is not clear if any of the safety problems were used in the wild. The vendor confirmed on May 29 that the file was removed, and therefore all passwords had already been changed.