PWNED: Researcher uses broken API to print message on GPS watches
A German security researcher printed the word “PWNED!” on hundreds of GPS watches to prove a point about a broken API.
Christopher Bleckmann-Dreher discovered a vulnerability in an API used by Austrian GPS watch manufacturer Vidimensio.
The firm’s watches are used by a wide range of the population from the elderly down to children, and it affected over 20 models.
Dreher alerted Vidimensio to the problem but it was ignored for over a year. Given the potential for much greater risk in the wrong hands, Dreher decided to prove a point about leaving such vulnerabilities unfixed in a cheeky – relatively harmless – manner.
All of the affected models share the same backend API which intends to work as an intermediary and storage point between the associated mobile software and the watch. Dreher compromised this API to write the message on the GPS map for their devices.
Back in 2017, German authorities banned the sale of smartwatches to minors claiming they can be used as listening devices. This prompted Dreher’s work.
Consistent with authorities’ warnings, Dreher found users of the Vidimensio Paladin watch could be eavesdropped on and even tracked. Despite their warnings, however, the number of affected watches used has grown from 700 to around 7000.
The exploit requires changing a parameter and entering another user’s ID. These numbers are sequential, hence why Dreher knows there are currently around 7000 registered users.
Dreher has shown why it's so crucial to check all APIs are secure. The last thing you want is a hacker tracking, listening, or sending messages worse than “PWNED!” to your users.
You can watch Dreher’s presentation at the Troopers 2019 security conference below:
Interested in hearing industry leaders discuss subjects like this and sharing their experiences? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam to learn more.