Welcome to the future, where privacy is an optimistic, nostalgic myth. It’s almost impossible now to go a whole day without a story about a privacy breach, leaked data or stolen passwords. And today is no exception.
UK research group Pen Test Partners released their findings today, with 47 million vulnerable devices, used by over five million children. “It’s only the tip of the iceberg,” they said. From smartwatches to activity trackers, they all seem to be storing their data in less than optimal conditions.
We’ve all seen this coming. One of the greatest threats presented by IoT is decreased privacy. You’ve got millions of devices constantly connected and sending data over WiFi and cellular networks. It’s rather optimistic to assume that all manufacturers take the necessary security precautions to protect the privacy of all that data, particularly when it comes to low-cost devices.
The findings cover a flawed cloud platform developed by Chinese electronics maker Thinkrace. You’d be forgiven for not being familiar. Thinkrace is a white-label manufacturer, allowing other companies to sell Thinkrace devices under their own branding. A very common practice in today’s highly commoditized tech scene in China.
Of course, this means that the location of anyone who uses these products, which are targeted at children, can be exposed by anyone with a bit of know-how. The data is not protected using any kind of authentication and the account numbers aren’t randomized, so incrementing an account number by one nets you access to someone else’s data.
As terrifying as this is, it’s not even the worst part. Devices with on-board microphones used for walkie-talkie features also save voice recordings in the aforementioned vulnerable cloud, allowing anyone to download them. The recordings are of children talking to their parents. This is not unlike the CloudPets scandal in 2017, which exposed two million children’s voice recordings through their “smart teddy bear”.
These vulnerabilities have been reported since 2015 and while some resellers have rectified them, most have not. So as always, do your homework before buying such devices to ensure your children’s data is safe and properly handled.