Australian Kids' Smartwatch Maker Hit By Same Bug AgainTicTocTrack Fixes Bug That Exposed Data, Allowed Tampering With Kids' Location
An Australian company that sells a GPS tracking smartwatch for children accidently introduced a security flaw in its software that could have allowed hackers to spoof the location of a child as well as download the personal information of its customers.
Brisbane-based iStaySafe Pty. Ltd. makes the TicTocTrack watch that enables parents to see the location of their child, call the watch and get alerts if a child leaves a certain geographic boundary.
Last year, the company received AU$1 million (US$606,000) in funding from Queensland’s government. Australia's government also funds purchase of the watches through its National Disability Insurance Scheme.
The security flaw is identical as one discovered in early 2019 by the U.K.-based security company Pen Test Partners. It appears that the flaw was mistakenly re-introduced into the code (see: Australian Child-Tracking Smartwatch Vulnerable to Hackers).
It’s unclear how long the bug was in the code, but it was fixed between Jan. 24 and 25. TicTocTrack has not notified its users that the problem cropped up again and says it is not required to under mandatory breach reporting laws.
“There is no immediate security threat to our customers, and there has been no breach that has resulted in any harm to our customers that would require any kind of public release,” says Karen Cantwell, CEO of iStaySafe.
The first time the bug occurred, TicTocTrack notified users by email and text message and issued a news release. Cantwell says the decision to notify users was made at that time because the company had to take its systems offline, which meant the smartwatches wouldn’t work.
Troy Hunt, an Australian data breach expert who was involved in examining TicTocTrack the first time it had this bug, says the norm for situations like this one is for a public disclosure statement that describes how long the bug existed.
“The industry expectation when personal information is accessed by an unauthorized party is that those impacted are promptly notified,” Hunt says. “Depending on jurisdiction, disclosure to the local regulatory body may also be required.”
The bug was discovered for the second time in January by Gordon Beeming, a South African developer who was considering buying two smartwatches for his children.
Beeming says he came across a conference talk by Hunt mentioning the first TicTocTrack bug and decided to see if the service was still vulnerable. It was.
Beeming says he was able to obtain the personal data of at least 1,000 registered users. The types of data includes names, email addresses, phone numbers and profile photos.
With Hunt’s permission, Beeming downloaded the data from Hunt’s account, which was accurate. He also pulled the data for Hunt’s 7-year-old daughter, including the phone number for the SIM card in her TicTocTrack watch.
Beeming says he has since deleted all of the data, and he published a blog post about his findings on March 18.
The bug is classified as an insecure direct object reference. Anyone logging into a TicTocTrack account could increment an integer called a “family identifier,” which is assigned to a registered account. By incrementing the number in that field, the details for another account is displayed.
TicTocTrack’s back-end APIs use odata. During his research, Beeming was also able to remove a filter from a storage container that held TicTocTrack’s personal account data in bulk, which resulted in all of the data from that container being pulled into his computer.
“Using this, I was able to give Troy his data,” Beeming writes.
But the bug wasn’t just limited to exposing personal account data. Ken Munro, a partner at Pen Test Partners who was involved in disclosure of this incident as well as the first one, says it would have been possible to modify the reported location of children.
“The vulnerability was the same insufficiently authorized odata request as we found originally, so location spoofing would have been possible,” Munro says.
Hunt wrote an in-depth blog post when the first bug arose. To demonstrate the seriousness of the bug, he allowed Vangelis Stykas, a security consultant with Pen Test Partners, to experiment with his daughter Elle's account.
Stykas was able to add himself as a parent on Elle’s account, and one night he called Elle. Hunt published a video of the demonstration.
TicTocTrack: No Reporting Requirement
Cantwell, CEO of iStaySafe, says the data exposure does not need to be reported under Australian law nor under the European Union’s General Data Protection Regulation.
Australia introduced a mandatory breach reporting law that came into force in February 2018. It requires organizations with more than $3 million in turnover to report an incident within 30 days (see: Australia Enacts Mandatory Breach Notification Law).
The Office of the Australian Information Commissioner, which oversees the scheme, recommends that breaches that a reasonable person would think are likely to result in “serious harm” should be reported.
GDPR requires organizations to report incidents where Europeans' personal data is exposed within 72 hours.
Cantwell maintains that no one else aside from Beeming and Munro accessed data this time around.
“Our product has not exposed personal data to anyone other than two ethical hackers that brought and issue to our attention,” she says. “...I’m sure you would agree that no one is immune to attempted hacking.”
Cantwell says that since the first incident, TicTocTrack has invested in penetration tests with CREST-certified partners, web application firewalls and internal data security protocols.
“What our customers are confident of and is evident by their continued use of our products and services is that we employ all possible measures to ensure we mitigate risk wherever possible and maintain data security,” she says.