Researcher Exposes Security Issue with GPS Smartwatches
After a long, frustrating and ultimately fruitless battle to get an Austrian smartwatch vendor to fix serious vulnerabilities, security researcher Christopher Bleckmann-Dreher finally decided to pull a bit of a prank. Hundreds of the GPS-enabled smartwatches in question displayed the message "PWNED!" on their screens, through connected GPS coordinate points, ZDNet reports.
Mr. Dreher was a speaker at a recent security conference that took place in Germany in March 2019, where he outlined in great detail the vulnerabilities affecting a wide range of GPS watched produced by an Austrian company named Vidimensio. The security issue in question was a flaw in the API used for communication between the devices and the server. The vulnerability was exposed back in late 2017.
Dreher's research into the issue started after Germany officially banned the sale of another brand of smartwatches that allowed parents to listen-in on their children, as those had a vulnerability that could easily allow bad actors to snoop on both children and families. Looking into the matter, Dreher found both snooping issues, as well as loopholes that allowed bad actors to feed commands into the GPS watches. When the security issues were first discovered, Dreher was kind enough to first turn to the manufacturer. After Vidimensio failed to take any meaningful action, the researcher used an influential news outlet to pressure them into implementing working fixes. Sadly, the fixes were only partial and a lot of issues remained.
Using the unpatched holes in the API, Dreher strung a large number of GPS coordinate dots on the watches' screens, effectively writing out "PWNED!" on the screens of the affected devices. He said he did this to hundreds of devices, but he purposefully picked watches that had not been online for over a year.
Sadly, Dreher's efforts have not stopped the GPS watches from sale, even though he even contacted Germany's Federal Network Agency, who in turn refused to force the manufacturer to fully fix its watches. According to the original ZDNet report and interview, the devices are still being sold in Germany and the authorities are not enforcing the official ban.