SETracker app, from the Chinese developer 3G Electronics, that was reported to have some serious security flaws has finally fixed those. Required to be used with the smartwatches, the app allows an unrestricted server to server API. With this security flaw, the server was vulnerable to be used by bad actors to hijack the SETracker service like changing device passwords, making calls, sending text messages, conducting surveillance, and accessing cameras embedded in devices. However, 3G-Electronics was quick to respond to the researchers and fixed the vulnerability, and changed the exposed passwords.
"In this case, as a result of a vulnerability in the control interface of the device, or API (Application Programming Interface), an attacker could gain control and deliver messages through it. As one of the functionalities of the smartwatch is to remind the user to take their pills, the attacker could simply trigger more alerts than permitted; therefore, endangering the user's life as they could overdose. This is just one example of how the device could be manipulated. Sending fraudulent messages, controlling SMS traffic, blocking the GPS trackers on the watch or even accessing the camera as well as images on these devices are only some of the many capabilities the attacker could abuse. Furthermore, the publicly available source code for some applications has serious flaws affecting hardcoded credentials, server information of the SETwracker ecosystem database access and more," says Boris Cipot, Senior Security Engineer, at Synopsys Software Integrity Group.
The software's source code was also found by the researchers to be accidentally made publicly available via a compiled node file hosted online as a backup without protection. Passwords, email, SMS, photos and credentials were available to view.
"Security weaknesses in IoT devices continue to make headlines. It's not surprising that there is a real push to ensure medical device providers in particular have a process to accept vulnerability reports from third party researchers and the FDA recently released guidance on how providers should do this because any issues in the device are really messy to clean up. The ETSI has also recently released guidance for all IoT manufacturers selling in Europe on the same theme. However, in this case, the weakness actually wasn't in the device but was a bug in the API that communicated with the watch, a super common vulnerability that we see on thousands of customer assets," says Bill Lummis, Technical Program Manager, HackerOne.
Since the launch, the app available on iOS and Android has been downloaded over 10 million times.