back to article Panic as panic alarms meant to keep granny and little Timmy safe prove a privacy fiasco

A GPS tracker used by elderly people and young kids has a security hole that could allow others to track and secretly record their wearers. The white-label product is manufactured in China and then rebadged and rebranded by a range of companies in the UK, US, Australia and elsewhere including Pebbell 2, OwnFone and SureSafeGo …

  1. Starace Silver badge

    Hardly a surprise

    All these cheap little Chinese GPS toys are basically the same and none of them are exactly the most robust or secure designs.

    That's why they're dirt cheap.

    On the other hand who exactly is going to bother except a group of 'researchers' who thought a mass scan of customer hardware was appropriate behaviour?

    1. anonymous boring coward Silver badge

      Re: Hardly a surprise

      On the other hand, paying loads more won't make it any better. Just more expensive.

      It's a no-brainer that all these things, and IoT things, are flawed.

      I'm just surprised that it's even newsworthy.

    2. Pascal Monett Silver badge

      Re: who exactly is going to bother

      Who knows ?

      That is the problem.

      1. AMBxx Silver badge

        Re: who exactly is going to bother

        Not difficult to predict how this could be used.

        Reset a bunch.

        Remotely turn on the GPS.

        Find out where person lives from the GPS.

        Wait until they're out and break in.

        Yes, the wearer is likely to be far from the hacker, but I'm sure there's a ready market for this level of information.

        1. JLAKER

          Re: who exactly is going to bother

          Find out where a person lives from the GPS? GPS doesn't give you a post code and an address! You'd have to track them from the pings to the GPS signal location, then basically spy on them physically to work out where they live (and even then you don't know it's their home). So let's assume you do know they have left the property, given all the effort you already put in to staking them out, wouldn't it just be easier to burgle someone a little closer to home?

          1. Baldrickk Silver badge

            Re: who exactly is going to bother

            When I get in the car in the mornings, I can talk to my phone and tell it to "navigate to work"

            Now I've never told it where work actually is, but I do go to the same place every weekday, at just about the same time, stay there for 8 hrs or so, then leave. Really not to hard to work that out.

            If I'm in the same place almost every night, then it's a good bet that that is where I live.

            Yes, burglary would be easier close to home, but if you can just search for devices, it would be fairly easy to find at least some close to home given a little time.

          2. Flywheel Silver badge

            Re: who exactly is going to bother

            How about a situation like "..my rich, obstinate and elderly father still chooses to live alone in his semi-rural farmhouse property with the nearest neighbours 3 miles away". GPS and online maps are the ne'er-do-wells' friend in this case.

    3. whitepines Silver badge

      Re: Hardly a surprise

      On the other hand who exactly is going to bother except a group of 'researchers' who thought a mass scan of customer hardware was appropriate behaviour?

      Not defending the researchers' actions per se, but the vendor decided to connect these things directly to a very public cell network. How is that much different than putting, for the sake of argument, voice activated toys in windows along a public road, then someone walking down the street shouting at them to see which ones talk back?

    4. a_yank_lurker Silver badge

      Re: Hardly a surprise

      The intent of the researchers is to find major problems so they can be fixed. Thus the publication of their findings. How many of these devices have already been hacked is unknown. Also, if the hack was used by a miscreant to aid in committing a crime before would the flatfeet have tried to check the device for signs of the hack; it would be a clue.

    5. Anonymous Coward
      Anonymous Coward

      Re: Hardly a surprise

      "On the other hand who exactly is going to bother except a group of 'researchers' who thought a mass scan of customer hardware was appropriate behaviour?"

      History has shown that if it wasn't for researchers and tech sites like El Reg exposing the privacy and security problems of all these gadgets nothing would ever be done to try and fix the problems.

      Most all companies only correct problems when the problems start costing more than the cost of improvements.

    6. mark 120

      Re: Hardly a surprise

      Perhaps I'd bother, if my ex had custody of the kids and I wanted to know where they now resided, and when they're likely to be unattended.

    7. Brian Miller
      Devil

      Re: Hardly a surprise

      No, everybody is missing the point: If you have no security, then there isn't a security issue!

      "This device tracks your position within 100 meters and hands that information out to anyone who wants it. It contains a microphone, and all audio is available at will. It can easily accommodate ad-hoc software, without regards of purpose of said software."

      See? Now you have a clear privacy statement, and a clear statement of security.

  2. Maelstorm
    Facepalm

    And this is why...

    And this is why we shouldn't trust any gear that comes out of China.

    1. Will Godfrey Silver badge

      Re: And this is why...

      And this is why we shouldn't trust any cheap tat.

      FTFY

      So this really comes as no surprise.

      1. Stoneshop Silver badge

        Re: And this is why...

        And this is why we shouldn't trust any cheap tat.

        There's also heaps of expensive tat that fails to be even minimally secure

    2. Nick Kew Silver badge

      Re: And this is why...

      Because the vendors badging it as their own had no possible responsibility.

      In a race to the bottom, you might get crap.

    3. emullinsabq

      Re: And this is why...

      Does USA inherit the blame for all of Intel's security flaws?

      It's not just you either. Apparently it's trendy to vilify China these days. Imagine if the article was about an Intel chip, and ElReg substituted China with United States.

      That possibly nobody's heard of the actual company is no excuse. The salient _news_ aspect is the company, not the country. But ofc, if it were Intel, I think the actual blame goes on those who actually sold the kit without understanding the chips used. Same here.

      1. Anonymous Coward
        Anonymous Coward

        Re: And this is why...

        @emullinsabq

        A more appropriate comparison might be to look at the history of flaws (and/or backdoors) in Cisco and Jupiter equipment....devices running the core of the internet! How much hacking has been done --- in secret --- using these flaws by bad actors like the NSA and GCHQ? MILLIONS of users exposed every day!!

        *

        I think we should be told!

  3. Anonymous Coward
    Anonymous Coward

    Somebody should ...

    Investigate why the guy in the picture keeps falling down staircases. He did similar stunt work in this week's On Call article.

    Hope he gets paid well and has great accident insurance.

    1. John Brown (no body) Silver badge
      Thumb Up

      Re: Somebody should ...

      I wonder if he's called Buster?

    2. Anonymous Coward
      Anonymous Coward

      Re: Somebody should ...

      I'm unsure if he does it on purpose or if he's the fall guy.

      1. Sir Runcible Spoon Silver badge
        Coat

        Re: Somebody should ...

        It's Lee Majors

      2. quxinot Silver badge

        Re: Somebody should ...

        Identified in one fell swoop!

    3. Nick Kew Silver badge

      Re: Somebody should ...

      The On Call was on outdoor-grade stone steps. And he's propping himself up, with head raised and laptop poised. But yes, they do look rather alike.

      Is it coincidence, or is falling head-first down the stairs a remaining bastion of white male (and other common characteristics) domination? Where's the Reg's commitment to Diworsity?

      1. Sir Runcible Spoon Silver badge

        Re: Somebody should ...

        My wife and I were discussing something like this a few nighs ago and I predicted that soon all portrayals of humans would need to be androgenous whilst also being multi-coloured (think rainbow stripes)

        1. Anonymous Coward
          Anonymous Coward

          Re: Somebody should ...

          Can't do the stripes, in any given scenario at least one of the colors represented would claim "cultural appropriation".

          1. Sir Runcible Spoon Silver badge

            Re: Somebody should ...

            Wouldn't they have to actually be stripey for that?

  4. sitta_europea Bronze badge

    But it's got a security label!

    https://www.gov.uk/government/collections/secure-by-design

  5. chivo243 Silver badge
    Unhappy

    Sure, I know to avoid this crap and so do you if you're reading this. However, lots of our friends and family probably don't know any better. I would like to use the word "standards", but I know it will fall on deaf ears. The next issue is how to dispose of this crap too. Maybe this should be factored into the design and manufacture?

    1. Nolveys Silver badge
      Windows

      The next issue is how to dispose of this crap too. Maybe this should be factored into the design and manufacture?

      So the assembly line ends with a conveyor belt that drops finished units in a dumpster?

  6. This post has been deleted by its author

    1. hayzoos

      Re: Welcome to ethical testing 101...

      Is there any more risk in this structured test than the device being robocalled?

      I would hope they did not send just any random message, but one they tested on the device they had.

    2. Malcolm Weir Silver badge

      Re: Welcome to ethical testing 101...

      The article states that they got responses from 7%. Not that they compromised 7%. For example, it's common for IoT responders to have a "status" or "version" command, which could be used benignly...

  7. Jason Bloomberg Silver badge

    "The potential for harm is massive"

    "Potential for", maybe, but back in the real world...

    It doesn't seem to me a Granny with a 'fucked by a script kiddie' tracker is any worse off than a Granny who doesn't have a tracker, or has one whose battery has gone flat, or wanders out of range of a base station.

    Obviously there's a potential for tracking down a vulnerable Granny using GPS but I imagine there would be easier pickings in the local park.

    I am however left wondering who's going to be the first to come up with something like FlightAware, for tracking Grannies rather than planes?

    1. Nick Kew Silver badge
      Devil

      Re: "The potential for harm is massive"

      Perhaps in the event of a real-world emergency, being tracked by script-kiddie might even be a Good Thing? As in, one more person to notice the alert, and perhaps also more clued-up than panicking relatives about what it means and what to do.

      Just a thought ...

    2. John Brown (no body) Silver badge

      Re: "The potential for harm is massive"

      "It doesn't seem to me a Granny with a 'fucked by a script kiddie' tracker is any worse off than a Granny who doesn't have a tracker, or has one whose battery has gone flat, or wanders out of range of a base station."

      If you think granny has a working tracker, you may not be quite so worried when not there in person and therefore may not visit quite so often because you expected to get a warning message if something goes wrong.

      1. Anonymous Coward
        Facepalm

        Re: "The potential for harm is massive"

        Not really a relevant comment to those of us whose nonagenarian progenitor lives over six hours away.

        1. Paul Crawford Silver badge

          Re: "The potential for harm is massive"

          Really? You don't think this could also be abused to occupy emergency/social services for whatever reason the bad guys have? Or to trick your nonagenarian in to doing something like reading out bank details to "confirm her identity"?

          1. Anonymous Coward
            Anonymous Coward

            Re: "The potential for harm is massive"

            The comment was about "not visiting quite so often", which I took as visiting often enough to check up on him. Which only applies if you live locally enough to visit regularly in the first place, so you'd expect to find him still alive and hopefully OK if he'd fallen and couldn't get up.

            Without an alarm, it could be a long time before anyone notices. With an alarm, I'm unlikely to be able to check in person if it goes off, but I can try to contact his neighbour, or if that's not possible the local emergency services.

    3. whitepines Silver badge
      Facepalm

      Re: "The potential for harm is massive"

      It doesn't seem to me a Granny with a 'fucked by a script kiddie' tracker is any worse off than a Granny who doesn't have a tracker, or has one whose battery has gone flat, or wanders out of range of a base station.

      Does Granny read her bank numbers to herself off of a piece of paper while she thinks she's in the privacy of her own flat? Ditto for any other sensitive information; us humans are wont to change our behaviour when we think no one, or only trusted people, are in earshot.

      Granny with a drained account needing care could definitely be worse than no tracker!

    4. MadDrFrank

      Re: "The potential for harm is massive"

      The article says the devices are used for tracking and communicating with kids as well as elderly people.

      Not surprising, it is an obvious use. The risk is obvious also.

      Incidentally why emphasise grannies? As a great-granddad I demand the right to b̶e̶ ̶a̶ ̶n̶u̶i̶s̶a̶n̶c̶e̶ be worried about!

  8. Marketing Hack Silver badge
    Holmes

    Help! My device security has fallen and it can't get up!!

    Cheap IoT crap is not secure!! In other news, fish continue swimming, birds are remarkably airborne.

    1. John Brown (no body) Silver badge

      Re: Help! My device security has fallen and it can't get up!!

      "birds are remarkably airborne."

      God dammit. My pet emu just flew off, you bastard!

      He didn't know he could fly until he read your comment.

      1. Anonymous Coward
        Anonymous Coward

        Re: Help! My device security has fallen and it can't get up!!

        My green duck wishes it could fly, but it can’t, no matter who tells it that it can.

        1. Jamie Jones Silver badge

          Re: Help! My device security has fallen and it can't get up!!

          But who is his very best friend?

        2. Sir Runcible Spoon Silver badge

          Re: Help! My device security has fallen and it can't get up!!

          I seem to recall he was once made to fly, by Jasper Carrot I think (could be wrong)

  9. Mike 16 Silver badge

    A list of approved contacts?

    Given the apparent ease of spoofing pretty much any number, what is the point of having such a list? If you are targeting a particular granny or kid, it should be pretty easy to guess who is on that list.

    1. Malcolm Weir Silver badge

      Re: A list of approved contacts?

      Quite. Surely "the right" approach is to give devices a unique PIN that's printed on the thing. And probably disable "reset via SMS" in favor of a "reset via WiFi only" approach, because then you've have to be on the same network with physical access to the device to read the PIN...

      1. doublelayer Silver badge

        Re: A list of approved contacts?

        Or we could go old school and have one of those paper clip reset buttons. It's not like reset is a function that really needs to be activated all that often.

        1. Anonymous Coward
          Anonymous Coward

          Re: A list of approved contacts?

          "Or we could go old school and have one of those paper clip reset buttons."

          Definitely. To me anyone who designed a thing which can be reset remotely, is very, very stupid person.

          Or has spesific reasons for remotely resettable device, not told to customers.

          From security point of view for this kind of devices only safe method is a physical button.

  10. J J Carter Silver badge
    Trollface

    Weak double entendre

    Nobody would want to 'backdoor' my Nan

    1. Sir Runcible Spoon Silver badge
      Coat

      Re: Weak double entendre

      no GILF then?

      1. Paul Crawford Silver badge
        Coffee/keyboard

        Re: Weak double entendre

        Or GGILF perhaps?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019