Apparently, nearly all GPS-enabled smartwatches a shared cloud platform developed by Chinese white-label electronics maker Thinkrace, one of the largest manufacturers of location-tracking devices.
According to Techcrunch the platform works as a backend system for Thinkrace-made devices, storing and retrieving locations and other device data.
Not only does Thinkrace sell its own child-tracking watches to parents who want to keep tabs on their children, but the electronics maker also sells its tracking devices to third-party businesses, which then repackage and relabel the devices with their own branding to be sold on to consumers.
Ken Munro, the founder of Pen Test Partners, found that Thinkrace made more than 360 devices, mostly watches and other trackers and the brand owner doesn’t even realize the devices they are selling are on a Thinkrace platform.
Each tracking device sold interacts with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller. The researchers traced the commands all the way back to Thinkrace’s cloud platform, which the researchers described as a common point of failure.
The researchers said that most of the commands that control the devices do not require authorisation and the commands are well documented, allowing anyone with basic knowledge to gain access and track a device. And because there is no randomisation of account numbers, the researchers found they could access devices in bulk simply by increasing each account number by one.
One device maker bought the rights to resell one of Thinkrace’s smartwatches. Like many other resellers, this brand owner allowed parents to track the whereabouts of their children and raise an alarm if they leave a geographical area set by the parent.
The researchers said they could track the location of any child wearing one of these watches by enumerating easy-to-guess account numbers.
The smartwatch also allows parents and children to talk to each other, just like a walkie-talkie. But the researchers found that the voice messages were recorded and stored in the insecure cloud, allowing anyone to download files.