Written by Zack Whittaker

Smartwatch hack could trick patients to ‘take pills’ with spoofed alerts

Security researchers say a smartwatch, popular with the elderly and dementia patients, could have been tricked into letting an attacker easily take control of the device.

These watches are designed to help patients to easily call their carers and for carers to track the location of their patients. They come with their own cellular connection, so that they work anywhere.

But researchers at U.K.-based security firm Pen Test Partners found that they could trick the smartwatch into sending fake “take pills” reminders to patients as often as they want, they said.

“A dementia sufferer is unlikely to remember that they had already taken their medication,” wrote Vangelis Stykas in a blog post. “An overdose could easily result.”

Researchers triggering the “take pill” alert on a vulnerable smartwatch. (Image: Pen Test Partners/supplied)

The vulnerabilities were found in the back-end cloud system, known as SETracker, which powers the smartwatch. The same cloud system also powers millions of other white-label smartwatches and vehicle trackers across Europe, all of which were vulnerable to basic attacks, the researchers said.

The researchers found a copy of the source code that powers the back-end cloud system, allowing the researchers to find security weaknesses in the code. One of the major flaws found was that the server was using a hardcoded key which, if used, an attacker could have sent any commands to remotely control any one of these devices.

With this key, an attacker could trigger the “take pills” alert, secretly make phone calls from the device, send text messages, or — in the case of vehicle trackers — cutting the engine altogether.

The code also had passwords and tokens to SETracker’s cloud storage, which the researchers believe — based on the code — stored data uploaded by these devices. But the researchers were unable to check as doing so would have broken U.K. computer hacking laws.

The researchers said that the vulnerabilities have now been fixed. It isn’t known if the flaws had been exploited by someone else.

This latest research comes just months after Pen Test Partners found similar vulnerabilities in another widely-used white-label child-tracking smartwatches.

Security, or a lack of, is a growing trend among smart device makers, often which build devices with little consideration for good cybersecurity practices. That prompted the U.K. government to propose new legislation that would help improve their security by mandating that smart devices must be sold with a baseline level of security, such as unique passwords.

Data brokers track everywhere you go, but their days may be numbered

Everywhere you go, you are being followed. Not by some creep in a raincoat, but by the advertisers wanting to sell you things.

The more advertisers know about you — where you go, which shops you visit, and what purchases you make — the more they can profile you, understand your tastes, your hobbies and interests, and use that information to target you with ads. You can thank the phone in your pocket — the apps on it, to be more accurate — that invisibly spits out gobs of data about you as you go about your day.

Your location, chief among the data, is by far the most revealing.

Apps, just like websites, are filled with trackers that send your real-time location to data brokers. In return, these data brokers sell on that data to advertisers, while the app maker gets a cut of the money. If you let your weather app know your location to serve you the forecast, you’re also giving your location to data brokers.

Don’t be too surprised. It’s all explained in the privacy policy that you didn’t read.

By collecting your location data, these data brokers have access to intensely personal aspects of your life and can easily build a map of everywhere you go. This data isn’t just for advertising. Immigration authorities have bought access to users’ location data to help catch the undocumented. In one case, a marketing firm used location data harvested from phones to predict the race, age, and gender of Black Lives Matter protesters. It’s an enormous industry, said to be worth at least $200 billion.

It’s only been in recent years that it was possible to learn what these data brokers know about us. But the law is slowly catching up. Anyone in Europe can request access to obtain or delete their data  under the GDPR rules. California’s new consumer privacy law grants California residents access to their data.

But because so many data brokers collect and resell that data, the data marketplace is a fragmented mess, making it impossible to know which companies have your data. That can make requesting it a nightmare.

Jordan Wright, a senior security architect at Duo Security, requested his data from some of the biggest data brokers in the industry, citing California’s new consumer privacy law. Not all went to plan. As an out-of-state resident, only one of the 14 data brokers approved his request and sent him his data.

What came back was a year’s worth of location data.

Wright works in cybersecurity and knows better than most how much data spills out of his phone. But he takes precautions, and is careful about the apps he puts on his phone. Yet the data he got back knew where he lives, where he works, and where he took his family on holiday before the pandemic hit.

“It’s frustrating not fully knowing what data has been collected or shared and by whom,” he wrote in a blog post. “The reality is that dozens of companies are monitoring the location of hundreds of millions of unsuspecting people every single day.”

Avoiding this invasive tracking is nearly impossible. Just like with web ad tracking, you have little choice but to accept the app’s terms. Allow the tracking, or don’t use the app.

But the winds are changing and there is an increasing appetite to rein in the data brokers and advertising giants by kneecapping their data collection efforts. As privacy became a more prominent selling point for phone consumers, the two largest smartphone makers, Apple and Google, in recent years began to curb the growing power of data brokers.

Both iPhones and Android devices now let you opt-out of ad tracking, a move that doesn’t reduce the ads that appear but prevents advertisers from tracking you across the web or between apps.

Apple threw down the gauntlet last month when it said its next software update, iOS 14, would let users opt-out of app tracking altogether, serving a severe blow to data brokers and advertisers by reducing the amount of data that these ad giants collect on millions without their explicit and direct consent. That prompted an angry letter from the Interactive Advertising Bureau, an industry trade group that represents online advertisers, expressed its “strong concerns” and effectively asked it to back down from the plans.

Google also plans to roll out new app controls for location data in its next Android release.

It’s not the only effort taking on data brokers but it’s been the most effective — so far. Lawmakers are scrambling to find bipartisan support for a proposed federal data protection agency before the end of the year, when Congress resets and enters a legislative session.

Shy of an unlikely fix by Washington, it’s up to the tech giants to keep pushing back.

TikTok saw a rise in government demands for user data

Earlier this year, TikTok’s parent company ByteDance joined the raft of American tech giants that publish the number of government demands for user data and takedown requests by releasing its own numbers. The move was met with heavy skepticism, amid concerns about the app maker’s links to China, and accusations that it poses a threat to U.S. national security, a claim it has repeatedly denied.

In its second and most recent transparency report, published today, TikTok said it received 500 total legal demands, including emergency requests, from governments in the first half of the year, up 67% on the previous half. Most of the demands came from the United States.

TikTok also received 45 government demands to remove contents. India, which submitted the most takedown requests, earlier this month banned TikTok from the country, citing security concerns.

But noticeably absent from the report is China, where TikTok is not available but where its parent, ByteDance, is headquartered. That’s not an uncommon occurrence: Facebook or Twitter, neither of which are available in China, have not received or complied with a demand from the Chinese government. Instead, ByteDance has a separate video app, Douyin, for users in mainland China.

TikTok spokesperson Hilary McQuaide told TechCrunch: “We have never provided user data to the Chinese government, nor would we do so if asked.”

“We do not and have not removed any content at the request of the Chinese government, and would not do so if asked,” the spokesperson said.

But the company’s efforts to fall in line with the rest of the U.S. tech scene’s transparency efforts is not likely to quell long-held fears held by the company’s critics, including lawmakers, which last year called on U.S. intelligence to investigate the firm.

TikTok continues to contend that it’s not a threat and that it’s firmly rooted in the United States.

Earlier this week, the company said it was withdrawing from Hong Kong in response to the new Beijing-imposed national security law.