Projects:2018s1-167 Security Assessment of Watchem and Moochies Watches
Contents
Project Team
Narayan Shanmuganathan (Team Leader)
Georgia Castignani (Technical Lead)
Nooragha Sharifi (Document Manager)
Project Supervisors
Matthew Sorell
Richard Mathews
Introduction
Numerous safety watches, designed for children, have been banned in Germany due to potential security and privacy concerns [1]. Generally, these devices are linked to an application that allows the child’s guardian to monitor them. If a cyber-vulnerability exists within such a watch, it is conceivable that a hacker can use this vulnerability to obtain sensitive data from the watch, reducing the overall privacy and safety of the wearer. A few of these examples include unauthorised access to the child’s GPS coordinates, remote extraction of phone numbers and voice data exfiltration [5][6][7]. Thus, it is imperative that these safety wearables are secure, to avoid unintended parties being privy to the child’s private data.
Objectives
Initially, the objective of this paper was to produce preliminary results that show that vulnerabilities exist in kids safety watches that are currently sold in Australia. The objective then evolved into expanding on the preliminary results by determining the cyber-vulnerabilities in a diverse range of kids safety watches, ranging from low to high level of assumed security. Following this, the group aims to develop a testing framework, using the knowledge previously attained, to assess whether a kids safety watch is technically secure enough to be sold to the public.
Related Work
There have been some research papers which have focused on developing a testing methodology for discovering vulnerabilities in general wearable IoT devices. In [2] a dynamic testing methodology which focuses on simulating the realistic environmental conditions of the wearable IoT devices has been discussed. This paper uses a black box testing methodology while assuming only the final product is available, hence the approach used in this paper cannot provide a mapping of the IoT device to a specific security level, but rather list the results of the tests. Vulnerabilities have also already been demonstrated for 3 distinct wearables devices that collect user data (i.e. fitbits) and communicates with the user’s smartphone. The vulnerabilities exposed in this paper relates to elements in the Wireless Body Area Network (WBAN) architecture, and Bluetooth Low Energy (BLE) protocols. These vulnerabilities are verified experimentally through 3 specific case studies which uses general attack processes developed in this paper [3]. In this paper we propose a similar methodology as [2] and reduce scope to wearables marketed as children’s safety watches.
Methodology
Both watches were pentested using identical methods, as they used the same system architecture. Each device could be instructed to execute various tasks via SMS commands. Each SMS message had to be correctly formatted according to the given specifications, and include the password of that particular device [5][9]. For example, the command pw,123456,ts# contains the default password ,123456, and the instruction ,ts [4][5][8][9]. This command instructs both watches to return private information such as the device location and IMEI. No information on changing the passwords for these devices were included in each respective manual or available as a function in the smartphone app. Thus, changing the default password of either device was neither compulsory nor apparent. By sending the generic password to enable SMS commands, the team was able to alter the data of the watch [4][5][6]; the team then proposed that by using the SMS command to alter the IMEI would result in the unique registration code changing. This allows the device to be registered to the application again. Theoretically, this would revoke the parent’s access to the child’s smartwatch via the watch’s application. Following this, market research was undertaken to identify the kids safety watches available in the 2018 Australian market. The devices were included in the list if they were either sold in an Australian physical, Australian online store or available for import. The identified watches were then categorised by their key characteristics, such as the original equipment manufacturer (OEM), system architecture and the features of their application and server ecosystem. Using the list that was generated previously, the group then prioritised which devices to test.
Preliminary Findings
We reported our SMS vulnerability findings to relevant agencies in Australia, and we understand action is being taken to protect Australian consumers both of the watches product shortcomings. These devices, can be instructed to perform certain actions if the correctly formatted sms commands are sent to watches number [5]. Using these commands, we were able to double register the devices to prevent the parent from accessing the watches via the corresponding application, remotely monitor the sounds recorded by the watches microphone without the knowledge of the wearer and access each watch’s private data such as GPS location [4] [5] [6].
Future Work
The vulnerability testing of the new set of watches will commence as soon as our sponsor provide us the watches. The devices will need to be lightly pentested to determine if there are any immediate flaws in the devices. To do this each watch will need to be reviewed in depth, ideally with insider knowledge of how the device works, such that attack vectors can be determined from the information. After each watch has been successfully breached or unsuccessfully attempted, the flaws of all devices will be compared and categorised based on their key vulnerabilities. The security framework can then be generated using this categorisation.
To create this framework, the team shall initially look at different legislations from many countries; this will start the thinking process and give the team an idea of how to adapt this framework to suit Australia. Combining this new knowledge as well as the flaws found in each of the watches used will allow the team to generate a security framework. To assess this, each watch will be tested using the testing methodology framework; this also allows the team to determine if the flaws correspond to more than one device. For example, each of the watches should not be able to be controlled using SMS commands, unlike the initial two watches. If any watches fail to pass this test they should immediately be removed from the market.
References
[1] J. Wakefield, "Germany bans children's smartwatches", BBC News, 2018. [Online]. Available: http://www.bbc.com/news/technology-42030109.
[2] S. Siboni, A. Shabtai, N. Tippenhauer, J. Lee and Y. Elovici, "Advanced Security Testbed Framework for Wearable IoT Devices", ACM Transactions on Internet Technology, vol. 16, no. 4, pp. 1-25, 2016.
[3] M. Langone, R. Setola and J. Lopez, "Cybersecurity of Wearable Devices: An Experimental Analysis and a Vulnerability Assessment Method", 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), pp. 304-309, 2017.
[4] C. Meng and C. Meng, "Kids GPS Smart Watch FAQ", Charlottemengchun.blogspot.com.au, 2018. [Online]. Available: http://charlottemengchun.blogspot.com.au/2016/07/kids-gps-smart-watch-faq.html.
[5] "Q50 smart watch SMS commands:", Kid-Control, 2018. [Online]. Available: https://kid-control.com/ufaqs/q50-smart-watch-sms-commands/.
[6] "Uni Reach", Uni-reach.com, 2018. [Online]. Available: http://www.uni-reach.com/UserFiles/Download/2014/2/26/20142261536273795.pdf.
[7] S. Lam Po Tang, "Recent developments in flexible wearable electronics for monitoring applications", Transactions of the Institute of Measurement and Control, vol. 29, no. 3-4, pp. 283-300, 2007.
[8] "CCTR-631 GPS Watch Tracker User Manual", Igps.info, 2018. [Online]. Available: http://www.igps.info/en/cctr-631-gpstracker-en-v1.pdf.
[9] "Setting of GPS-watch for Kids using SMS-commands", FindMyKids Blog, 2018. [Online]. Available: https://findmykids.org/blog/en/setting-of-gps-watch-for-kids-using-sms-commands/.