Picture this: your child’s bright, cartoon-faced smart watch — sold as a way to keep them safe — could, in theory, become a tiny cog in a plot to rig a TV talent show.
It sounds ridiculous, but as Ken Munro, Founder of Pen Test Partners, told delegates at the IoT Security Annual Conference in London, that’s precisely the kind of chaos bad IoT security makes possible.
“The idea of these tracker watches is that you can have a little mobile app, give the kid the watch, and you can track the child so you know where they are,” Munro said. “Fantastic.”
Unfortunately though, as Munro put it, “that little watch is actually a mini cell phone.” Each device contains a SIM card and transmits data via an API to a cloud platform that the parent’s mobile app connects to.
“Through an authorisation fail — a lack of attention to detail — it gave you a [authorisation] token, but the token wasn’t properly authorised,” he explained. “It gave us complete access to every single user’s kids’ watch.”
Working with Australia-based researcher Troy Hunt, Munro’s team confirmed that the flaw was real — and disturbing. “We discovered that not only was it leaking the real-time GPS location for children, you could also rewrite it,” Munro said. “That’s his daughter Elle, playing tennis at Southport. You can rewrite it and drop her somewhere else entirely.”
Because the watches could also accept voice commands, the implications went far beyond tracking. “We could enable the microphone, enable the speaker,” Munro added. “There’s a wonderful video we did with Troy where one of my colleagues actually spoke to his child through the watch — in a very creepy accent. Surely we can do better at this, particularly for our children.”
And then came the mischievous thought experiment. “We discovered authorisation issues that allowed us to trigger phone calls and send SMS messages,” Munro said. “See where I’m going with this yet? We did a little bit of research to work out how much you’d have to influence the television. Believe it or not, it’s not very many calls.”
In theory, he joked, “we’ve got all these random phones on kids’ wrists sending SMSs and making calls to influence the Eurovision phone vote. Now, we don’t do this — we’re ethical and responsible, right? But we worked out we wouldn’t need many more than about 100,000 additional SMSs to bump the UK up the leaderboard.”
It may sound fanciful, but Munro pointed out that it has already happened — not at Eurovision, but in The Voice Kids Russia, where one contestant miraculously won with 41,000 votes reportedly traced to rigged phones.
Over the past decade, UK-based Pen Test Partners has become known for uncovering the absurd and alarming side of IoT design — from hijacking smart TVs that eavesdropped on households, to the now-infamous My Friend Cayla doll, which allowed strangers to listen and talk to children via Bluetooth.
“We weren’t trying to embarrass manufacturers,” Munro has said of those early exposés. “We wanted to make IoT better — to show that security can’t be an afterthought.” Those investigations helped push regulators and toy makers to tighten standards, but, as his latest example shows, the lessons still aren’t universal.
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.
