[BreachExchange] Australian Kids' Smartwatch Maker Hit By Same Bug Again

Destry Winant destry at riskbasedsecurity.com
Fri Apr 3 10:16:34 EDT 2020


An Australian company that sells a GPS tracking smartwatch for
children accidently introduced a security flaw in its software that
could have allowed hackers to spoof the location of a child as well as
download the personal information of its customers.

Brisbane-based iStaySafe Pty. Ltd. makes the TicTocTrack watch that
enables parents to see the location of their child, call the watch and
get alerts if a child leaves a certain geographic boundary.

Last year, the company received AU$1 million (US$606,000) in funding
from Queensland's government. Australia's government also funds
purchase of the watches through its National Disability Insurance

The security flaw is identical as one discovered in early 2019 by the
U.K.-based security company Pen Test Partners. It appears that the
flaw was mistakenly re-introduced into the code (see: Australian
Child-Tracking Smartwatch Vulnerable to Hackers).

It's unclear how long the bug was in the code, but it was fixed
between Jan. 24 and 25. TicTocTrack has not notified its users that
the problem cropped up again and says it is not required to under
mandatory breach reporting laws.

"There is no immediate security threat to our customers, and there has
been no breach that has resulted in any harm to our customers that
would require any kind of public release," says Karen Cantwell, CEO of

The first time the bug occurred, TicTocTrack notified users by email
and text message and issued a news release. Cantwell says the decision
to notify users was made at that time because the company had to take
its systems offline, which meant the smartwatches wouldn't work.

Troy Hunt, an Australian data breach expert who was involved in
examining TicTocTrack the first time it had this bug, says the norm
for situations like this one is for a public disclosure statement that
describes how long the bug existed.

"The industry expectation when personal information is accessed by an
unauthorized party is that those impacted are promptly notified," Hunt
says. "Depending on jurisdiction, disclosure to the local regulatory
body may also be required."

Identical Bug

The bug was discovered for the second time in January by Gordon
Beeming, a South African developer who was considering buying two
smartwatches for his children.

Beeming says he came across a conference talk by Hunt mentioning the
first TicTocTrack bug and decided to see if the service was still
vulnerable. It was.

Beeming says he was able to obtain the personal data of at least 1,000
registered users. The types of data includes names, email addresses,
phone numbers and profile photos.

With Hunt's permission, Beeming downloaded the data from Hunt's
account, which was accurate. He also pulled the data for Hunt's
7-year-old daughter, including the phone number for the SIM card in
her TicTocTrack watch.

Beeming pulled Hunt's data from TicTocTrack's systems with Hunt's permission.

Beeming says he has since deleted all of the data, and he published a
blog post about his findings on March 18.

The bug is classified as an insecure direct object reference. Anyone
logging into a TicTocTrack account could increment an integer called a
"family identifier," which is assigned to a registered account. By
incrementing the number in that field, the details for another account
is displayed.

TicTocTrack's back-end APIs use odata. During his research, Beeming
was also able to remove a filter from a storage container that held
TicTocTrack's personal account data in bulk, which resulted in all of
the data from that container being pulled into his computer.

"Using this, I was able to give Troy his data," Beeming writes.

But the bug wasn't just limited to exposing personal account data. Ken
Munro, a partner at Pen Test Partners who was involved in disclosure
of this incident as well as the first one, says it would have been
possible to modify the reported location of children.

"The vulnerability was the same insufficiently authorized odata
request as we found originally, so location spoofing would have been
possible," Munro says.

Hunt wrote an in-depth blog post when the first bug arose. To
demonstrate the seriousness of the bug, he allowed Vangelis Stykas, a
security consultant with Pen Test Partners, to experiment with his
daughter Elle's account.

Stykas was able to add himself as a parent on Elle's account, and one
night he called Elle. Hunt published a video of the demonstration.

Troy Hunt's daughter, Elle, responds to an unprompted call from
Vangelis Stykas, a security consultant with U.K.-based Pen Test

TicTocTrack: No Reporting Requirement

Cantwell, CEO of iStaySafe, says the data exposure does not need to be
reported under Australian law nor under the European Union's General
Data Protection Regulation.

Australia introduced a mandatory breach reporting law that came into
force in February 2018. It requires organizations with more than $3
million in turnover to report an incident within 30 days (see:
Australia Enacts Mandatory Breach Notification Law).

The Office of the Australian Information Commissioner, which oversees
the scheme, recommends that breaches that a reasonable person would
think are likely to result in "serious harm" should be reported.

GDPR requires organizations to report incidents where Europeans'
personal data is exposed within 72 hours.

Cantwell maintains that no one else aside from Beeming and Munro
accessed data this time around.

"Our product has not exposed personal data to anyone other than two
ethical hackers that brought and issue to our attention," she says.
"...I'm sure you would agree that no one is immune to attempted

Cantwell says that since the first incident, TicTocTrack has invested
in penetration tests with CREST-certified partners, web application
firewalls and internal data security protocols.

"What our customers are confident of and is evident by their continued
use of our products and services is that we employ all possible
measures to ensure we mitigate risk wherever possible and maintain
data security," she says.

More information about the BreachExchange mailing list