Millions of child-tracking smartwatches exposed by a cloud flaw

Recently, researchers revealed the issue of a flawed shared cloud platform that powers millions of cellular-enabled smartwatches.

A Chinese white-label electronics manufacturer Thinkrace is one of the largest manufacturers of location-tracking devices and its cloud-platform works as a backend system for Thinkrace’s own devices and the company also sells its tracking device to third-party businesses.

All these devices made or resold share the same cloud platform of the company which essentially means that any white-label device made by Thinkrace and sold by its customers are vulnerable. The research was done by Pen Test Partners who revealed their findings to TechCrunch. According to them, at least 47 million devices are vulnerable.

The research team found that Thinkrace makes more than 360 devices, mainly watches, and trackers and because of relabeling and reselling, many Thinkrace devices are branded in a variety of names. Tracking devices that are sold interact with the cloud platform once it starts working either directly or through an endpoint hosted on a web domain operated by the reseller. The researchers then traced these commands back to the source cloud platform of Thinkrace which is the common point of failure.

The security analysts also stated that they could easily track the location of any child wearing these watches by tampering with the easy-to-guess account numbers. Also, the smartwatch works like a walkie-talkie which enables parents to talk with their children, but researchers found that these voice messages were recorded and stored in an insecure cloud that anyone can download easily.