- The researcher resorted to this method after the watch manufacturer ignored the vulnerabilities found in these devices for more than a year.
- Over 20 watch models are said to contain flaws that can allow attackers to snoop into these devices.
A security researcher has found an ingenious way to alert a watch company of security flaws found in its products. German researcher Christopher Bleckmann-Dreher demonstrated the feat of printing “PWNED” on GPS maps of hundreds of watches at the Troopers 2019 conference.
The GPS watches are by Vidimensio, an Austrian firm that primarily manufactures GPS trackers and video equipment. The watches were mainly used by children as well as the elderly.
The big picture
- Dreher found security holes in a backend API server used by the GPS watches. He discovered them in December 2017.
- Even after contacting Vidimensio to inform the flaws, the company did not heed to his request and ignored them.
- Dreher warns that around 7000 of these watches were active since last year.
- They could be exploited to launch malicious activities such as eavesdropping, altering GPS data and many more.
- However, Vidimensio has only removed a feature in the API that enabled eavesdropping in the devices.
Issues resolved partially
Dreher told ZDNet that only eavesdropping flaw was resolved but not other issues. “In 03/2018 the vendor removed the eavesdrop/monitor command from his backend. Nowadays monitor mode can be activated by sending an SMS directly to the watch, [but the watch's SIM] mobile number must be known,” he said.
To raise awareness and to rouse the company to take action on the security issues, Dreher printed ‘PWNED’ in more than 300 watches. Furthermore, the researcher also disclosed details of the 20 faulty models of the watches housing these flaws.