Ethical hackers have discovered a flaw that can allow an attacker to cause a possible overdose among the most vulnerable smartwatch users.
My elderly mother is living with Alzheimer’s disease, and was her dementia not so advanced then a smartwatch device that could track her whereabouts and remind her to take medication would be a godsend. Unless that is, the same device could be hacked in such a way that it could potentially cause the wearer to take an overdose.
This almost situation is exactly what Pen Test Partners moral hackers discovered when researching the application software used to allow this type of smartwatch tracking. Software that, according to researchers, has been downloaded more than 10 million times.
In a technical deep dive published today, Tony Gee at Pen Test Partners explains precisely how the vulnerability discovered could have been exploited.
The flaw affected the SETracker, SETracker and SETracker3 applications, developed through 3G Electronics, in Shenzhen City, China. Apps connect devices, the smartwatch, or the tracker on which it is installed, to back up servers that allow caregivers to track the location of a user with dementia.
I know from my own experience that it’s not unusual for other people with dementia to end up somewhere not knowing how to get home. Devices that this software can simply cause a call to your caregiver if there is a problem.
Another attractive feature is the caregiver’s ability to establish drug withdrawals on the device. During the coVID-19 lock, this was certainly a lifeline for many remote users. As the researchers discovered, it also had the possibility of being precisely the opposite.
The challenge turned out to be an unrestricted server application programming interface (API) that meant a hacker could send the “TAKEPILLS” command that reminded the user to take their drug. There were many other things a hacker might have done, add tracking the user’s location and spy on him using the watch as a listening device.
However, this TAKEPILLS control vulnerability meant, Gee said, that someone can simply “trigger the drug alert as they wish.” Since a user with dementia probably wouldn’t remember taking his medication before, hence the need for such a device in the first place, the danger that this could lead to an overdose was actually very real.
Pen Test Partners contacted 3G Electronics without delay after finding the vulnerabilities, and the reaction was just as quick with ongoing security vulnerabilities within 4 days of full disclosure.
This arrangement as reported by the BBC, was carried out at the end of the equation server. Tony Gee claimed that the server-to-server API was corrected “restricting it to express IP addresses”. This meant that the operational opportunity might not be left for users who had not installed an update for some reason, a non-unusual complaint with many device vulnerability patches.
“Technology can have such a vital role in supporting patients, but it must be fully tested beforehand to help protect everyone,” Jake Moore, a cybersecurity specialist at ESET, said. “As many people favor convenience over security,” he continued, “it’s vital they come fitted with security by design to help protect the devices and users.”
I have reached out to 3G Electronics for a statement.
I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994. A three-time winner of the BT
I have been an experienced journalist for 3 decades and have been editor-in-chief of PC Pro mag since the first factor in 1994. A three-time winner of the BT Security Journalist of the Year Award (2006, 2008, 2010) he was also fortunate to be named BT’s Tech Journalist of the Year in 1996 for an innovative feature in PC Pro called “Internet Threats”. In 2011, I won the Enigma Award for my lifelong contribution to computer security journalism. Contact me with confidence [email protected] if you have a story to reveal or a search to share.