A now-fixed bug in a cheap smart GPS tracker potentially allowed stalkers to infiltrate families.
Thanks to the so-called Internet of Things, gone are the days when parents had to wonder where the hell their kids were. Now, parents can just easily track their children on their smartphone screens' thanks to myriad internet-connected wearable gizmos. But what happens when those devices get hacked?
The HereO watch and its accompanying iPhone and Android apps do just that, allowing "entire families to share their locations with each other throughout the day," according to HereO's official site. But due to bug in the app's platform web service or API, the HereO also let pretty much anyone with a little technical know-how pretend to be part of the family, and thus gave stalkers a way to easily track and even send messages to any kids or family members wearing the watch, according to new research published on Tuesday.
Anyone could "basically impersonate the parents, which is creepy," Tod Beardsley, the security research manager at Rapid7, the firm who studied the device, told Motherboard. "Not super useful for traditional computer crime but is definitely in the creepy zone."
Anyone could "basically impersonate the parents, which is creepy."
This is just yet another example of how Internet of Things (IoT) can go wrong. It's the kind of issue that not only could end up as fodder for the hilarious, Internet of Shit parody Twitter account, but could one day give real-life stalkers and child predators an easy way to find their targets.
The issue with the HereO was that anyone could add themselves to the trusted family group just by knowing the user ID of any family member, according to Beardsley, who said the user ID is likely a person's email address, thus easy to figure out. The API essentially allowed the hacker or stalker to add himself or herself to the family's network and track members through the app.
The good news is that HereO fixed the bug on December 15, roughly six weeks after Rapid7 researcher Mark Stanislav reported the flaw to the company.
HereO's chief technology officer Eli Shemesh told Motherboard that the company fixed the bug "four hours from the moment we have received the report," and also added that they have taken other measures "to improve the product security." (The company later also issued a statement.)
That, according to Beardsley, is great news because shows that HereO was responsible and quick to fix the bug. Rapid7 also recently analyzed another IoT device, the Fisher Price Smart Toy Bear, and found a similar bug, which allowed hackers to find out the personal details of all the children using it.
"I don't buy any of these IoT stuff."
Issues like these are the reason why Beardsley's kids only "have real laptops and real phones."
"I don't buy any of these IoT stuff," he told me in a phone interview.
On the bright side, the companies' willingness to respond to the bug reports and fix the flaws, Beardsley added, seems to indicate that IoT makers are starting to be aware of the fact that they need to take security seriously, and shows that "things are getting better."
This story has been updated to include HereO's response.