Smartwatch tracker for the vulnerable can be hacked to send medication alerts

API issues could be exploited to make calls, spy on users, send fake messages, and more.
Written by Charlie Osborne, Contributing Writer

Researchers have disclosed a set of serious security issues in a smartwatch tracker used in applications including services designed for the support of the elderly and vulnerable.

On Thursday, cybersecurity experts from Pen Test Partners disclosed security problems found in the SETracker service, software geared towards children and the elderly -- especially those with dementia or individuals that need reminders to complete daily tasks, such as taking their medication. 

The GPS tracker app can be used in tandem with a smartwatch by carers to find their charges, and in turn, wearers can use the system to make a call if they need help. 

See also: Researchers connect Evilnum hacking group to cyberattacks against Fintech firms

Chinese developer 3G Electronics' SETracker app, required to use the watches, is available on iOS and Android and has been downloaded over 10 million times. 

However, security flaws in the product meant that it was not only carers or loved ones that could keep track of a wearer's movements or activities. 

The vendor's software, of which there are now three mobile app varieties, is often used in the backend of cheap smartwatches on offer from a variety of brands. SETracker is also found in headsets and in the automotive software industry. 

According to Pen Test Partners, the first major security issue was the discovery of an unrestricted server to server API. The server could be used to hijack the SETracker service in ways including, but not limited to, changing device passwords, making calls, sending text messages, conducting surveillance, and accessing cameras embedded in devices.

If a monitor's backend system is based on SETracker, it was possible to send fake messages including "TAKEPILLS" commands, which are set up to remind wearers to take their medication. 

"A dementia sufferer is unlikely to remember that they had already taken their medication," the researchers noted. "An overdose could easily result."

CNET: China aims to dominate everything from 5G to social media -- but will it?

The researchers also came across the software's source code, which was accidentally made publicly available via a compiled node file hosted online as a backup without protection. 

Server-side code, MySQL passwords, email, SMS, and Redis credentials, and a hard-coded password in the source code -- 123456 -- were available to view. A database containing user images was also open to abuse. 

"The source code indicated that this bucket was where ALL the pictures taken by devices are sent. We have not confirmed that," Pen Test Partners says. "Given the use case of these devices is predominately children's trackers it is extremely likely these images will contain images of children."

TechRepublic: Highest-paying tech jobs: Where to find them

It is not known if any of the security issues have been exploited in the wild. 

Pen Test Partners disclosed its findings to 3G Electronics on January 22. The vendor did not respond until February 12. Triage then followed with the disclosure of the server API vulnerabilities on February 17, which was then fixed a day later. 

On May 20, the researchers reported the node file issue to the vendor, and on May 29, 3G Electronics confirmed that the file had been removed and all passwords had been changed. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards