Last Thursday, I published an investigative report I have been working on for about three months. Between Christmas and New Years, a security researcher by the name of Christopher Dreher contacted the heise online editorial offices with an unbelievable story: He had bought a GPS tracking smartwatch and had found horrendous security vulnerabilities. The devices are marketed for people to track their kids, spouses and grandparents – in itself that concept is horrible enough to me. But the Vidimensio Paladin was even worse: Anyone could make the watch call a phone number of their choosing, without the wearer noticing it. The attacker could then hear anything picked up by the watch’s microphone.
The hack is literally one line of code.
The researcher had contacted us to deal with the manufacturer as heise Security has an excellent track record when it comes to responsibly disclosing vulnerabilities we cover. I took up the story and wrote the seller of the watches, aiming to keep my source confidential. And here comes the second WTF of the story: That didn’t work because the manufacturer contacted the security researcher directly. How? The guy who runs the company selling these watches had apparently recognised the email address Dreher used when he bought his test watch as obviously belonging to a security company. When I contacted Vidimensio, they apparently went straight to Dreher without telling me. Now, there’s something to try if you really want to piss off a journalist… Yeah, I’m biased, but take this advice anyway: Never annoy a journalist who’s writing a story on you or your work. That’s not a good idea.
Well, as you might expect, I clamped down harder and decided to get one of these watches for myself. Obviously, we didn’t buy it under my name or using a heise.de email address.
In the meantime, the one-man-show at Vidimensio had implemented TLS encryption between the app that controls the settings on the watch and the control server that acts as a go between to pass commands from the phone on to the watch. Yes. Before this update in February, traffic from the Android and iOS apps to the server was not encrypted whatsoever. 🤦
There goes my chance to reproduce this vulnerability, I thought. My story would’ve died right there. Except it didn’t. The guy hadn’t implemented cert pinning. Took me about twenty minutes1 to figure out how to put my own cert on the phone and sniff the traffic with mitmproxy. There it was: All the commands the app sends to the server. In plain text. From there I could retrace Dreher’s steps in reverse engineering the server API and I also got the unique device ID of my watch2. The server URL, port, accepted commands and the ID of the watch you want to attack is all you need to initiated the clandestine surveillance.
Now, it would have been bad enough if I was able to attack my own watch like this. But it was obvious from the low entropy of the ID number that it wasn’t pseudo-randomly generated. In fact, it turned out that the ID numbers just seemed to increment by one with every new watch sold. This meant, I could potentially find hundreds of other watches out there. I could track them in real time via GPS coordinates, get the contact data on those watches and also listen in on what was being said around them. In my almost five years of covering security vulnerabilities and privacy-related topics, I had never come across anything remotely resembling this level of unbelievable idiocy.
Here’s me showing off how easy it is to hack this watch in a short video.
I wrote the editorial of the c’t issue we published the story in expressing my exasperation with this story and calling for programmers of all stripes to learn from this example and think about how crucial their code is becoming in our everyday lives. How can someone implement such a dangerous server API and then just ship it as it is? I simply can’t understand this type of behaviour.
The thing took me three months to research mostly because of the obstinate and ornery behaviour of the manufacturer of the devices and the resulting legal concerns surrounding the story’s publication. Basically, we had to make sure the story was legally watertight, in case the guy running the company overreacted after we went to press. I was completely sure what I had found out and had written was true and honest. But proving the same thing in a lawsuit is a completely different thing. I won’t bore you with inside baseball kind of details, but suffice it to say it took a lot of my time and energy to communicate with the company and thoroughly document my findings.
Talking to the company was especially taxing. The guy tended to start discussions, arguing his small company and mediocre products weren’t worth my time or my audience’s attention. He would not understand that his customers (and possible future customers) had the right to understand just how horrible his damn smartwatch of hell really was. I’m pretty sure exchanges like this are why journalists have a well deserved reputation of tending to cradle up at their desk with a bottle of scotch. I know I felt like it plenty of times. God bless the fact that there’s beer available in the ICE on-board restaurant is all I’m gonna say.
In the end, I’m very proud of this story. I wish I’d had the opportunity to also publish it in English, though. It definitely deserves the audience.