TicTocTrack smartwatch fixes 2019 software bug, again

Advertised as the ‘world’s smallest GPS Safety watch,’ the TicTocTrack GPS Watch provides an SOS alarm, lets users make and receive calls, and sends SMS alerts every time the child leaves or enters certain areas.

iStaySafe, the developers of the kids’ GPS watch, unintentionally reintroduced a 2019 security flaw in its software, allowing hackers to exfiltrate personal information and spoof the location of the user.

This time around, South-Africa developer Gordon Beeming wanted to check if the TicTocTrack was still vulnerable before purchasing the GPS watches for his children.

“Unfortunately, when I looked into it I found that the vulnerability still existed in the product. Doing some more reading I noticed that it was mentioned in a couple of articles including Troy’s blog post that his issue was fixed,” Beeming said in a blogpost last month.

While investigating the product, the researcher was able to get personal data, including names, email addresses, phone numbers and profile pictures of 1,000 users registered on the website. Moreover, another pen tester involved in the investigation mentioned the possibility of modifying the actual location of any child using the device.

The period in which the unpatched vulnerability was active remains unclear and, unlike the previous disclosure, the company did not notify their users. However, a fix for the bug was issued between 24 and 26 January 2020.

A similar security bug was detected in 2019, when security expert Troy Hunt purchased the watch for one of his children. Pen testers checking the security of the device discovered that the vulnerabilities in the devices’ software allowed threat actors to abuse the two-way call feature to make calls and even listen in on the user.

Following the initial disclosure, customers were notified via email or SMS before the company took their systems offline to remediate the vulnerability, claiming that, “iStaySafe will continue to operate in an open, transparent and honest manner and invest in the security of their network.”

According to a statement by iStaySafe  CEO Karen Cantwell on databreachtoday.com, “Our product has not exposed personal data to anyone other than two ethical hackers that brought and issue to our attention.” “…There is no immediate security threat to our customers, and there has been no breach that has resulted in any harm to our customers that would require any kind of public release.”

Add Comment

Your email address will not be published. Required fields are marked *