A recent Smartwatch exposes the location of more than 5,000 children and parents. Chinese SMA-Watch-M2 is one of the most vulnerable smartwatches in the market to date. The IoT testing division AV-TEST found enormous amounts of security measures in place to protect the backends of mobile apps.
There is an authentication token in place to prevent unauthorized access but there is no verifying process so an attacker can input any token they like.
"An attacker can connect to this web API, cycle through all user IDs, and collect data on all kids and their parents. Morgenstern says that using this technique, his team was able to identify more than 5,000 M2 smartwatch wearers and more than 10,000 parent accounts." (ZDNet)
There is a more disturbing vulnerability, attackers are able to change the parent IDs and use their phones to pair with the children smartwatch which allows them to track them and make calls and chats with the child. So far the watch is banned in Germany and being pulled off shelves in the EU.
Courtesty of Catalin Cimpanu