Chinese Tracking Platform Used in Cheap Smartwatches Found Completely Open

Security researchers found a vulnerability within a system called SETracker used in smartwatches, often by older people and kids, allowing attackers to take control and potentially abuse applications.

IoT devices can be used in numerous ways to improve the lives of people in a meaningful way. We do have some superfluous features sometimes, but some IoT devices can prove to be a real help for their users.

For example, SETracker is a software used in smartwatches that allows the family to track older people or patients with dementia. One of the features offers users notifications so that they remember to take their pills.

The application can also be used to track people who wander too far from their homes and even trigger a call to their carer. But the same SETracker system is used in many other devices, such as cheap smartwatches with tracking options for children.

Researchers from Pen Test Partners looked at the underlying code SETracker and found that through an unrestricted server to server API they could perform the following actions:

• Make a device call any phone number
• Make a device send SMS with any text
• Call any device
• Spy on any device (even on countries like Germany that this functionality was supposedly disabled)
• Fake a message from a parent
• Kill the engine of a car tracker (it should be noted, SETracker does more than just track kids/elders)
• Access the camera of all devices with a camera
• Send a TAKEPILLS command to the device to remind a relative to take medication

The team went further and analyzed the source code, which was available publicly. They managed to obtain Mysql password on all databases, ali yun file buckets credentials (s3 equivalent with ALL their pictures), email credentials, SMS credentials, Redis credentials, IPs and services of 16 servers, and the entire server-side source code for SETracker.

The cherry on top? The default password, hardcoded into source code and changeable by users, was 123456.

Besides the worrying prospect of allowing attackers to control the kids’ smartwatches, the researchers also found that it was also possible to send notifications such as “Take Pill” to patients suffering from dementia.

Following the discovery of the vulnerabilities, the researcher contacted the Chinese company and quickly fixed the issues on the server-side without updating the apps. Given that the SETracker platform supports automotive trackers, audio units, kids watches, and dementia trackers for elderly relatives, it’s impossible to say how many active devices are in the wild or if the vulnerability was already used.