It's even worse than that. Most of the GPS child watches or other trackers use a few large Chinese providers; they have little or no security on their APIs and administrative panels, (absolutely no API key authentication in at least one case, or `admin`, `admin` type defaults that don't get changed) so don't ever buy any GPS tracking watches for your child.
Which is unfortunate because there are times when I wish my kid had one. I'm not too worried about kidnapping, but there are times when I want to say come back from the park for dinner.
The software is being pushed so fast into the market and everyone doesn't want to be left behind. Security features are one of the first ones to be ignored, and that's very bad.
> "Rapid7's researchers also found that the three smartwatches had the exact same default password: 123456. It's unlikely people would change this password, as the devices don't even tell the users that password exists or how they can change it"
And he comes to the same conclusion I did: skip the cheap-ass commodity shit and go buy an Apple Watch. Series 3 can be had for US$200, plus the matching phone. Yeah, that’s a shit-ton of money. That’s what it costs to track your child and not get something from a company that scrimped on security to have an office party (documented in the article).
Because the whole time I’m reading the article thinking, “oh, c’mon, I could scrape together capital to do better than that. Ain’t gonna be $69 at Wal-Mart, though.” As I designed it in my head, I realized that for $200 I’d redesigned what Apple already sells, and my low volume would have a hard time beating $200 on cost.
Security flaws are almost expected in devices like this. While parents equipping their children with these watches are probably a security risk themselves, I believe the realities of software development can explain the flaws we are seeing. I doubt the software has seen any tests at all. The developers are probably happy that it works at all.
When you read that one reseller “didn’t have money for security” lest they not have an office Christmas party, it’s obvious that it is not a systemic problem in software development itself.
“Almost expected”? Only if one is there for the cash-grab.
I am generalizing of course, but as an I don't think we have the engineering rigour of other engineering practices to ensure their security. We also tend to rely too much on third parties being trustworthy, be that software dependencies or SaaS providers.
Because unless you're deeply involved in politics or some nefarious activity, all that surveillance isn't likely to impact you immediately and directly in any noticeable way. Most of it isn't even seen by other humans. Whereas parents have direct power over their children, and they tend to pay close attention - which makes "eavesdropping" on children both a huge risk for parental abuse, and a general source of development issues, as tracked kids know their movements are watched and subject to consequences.
It’s also bad that “adult” devices eavesdrop in adults, but in theory adults can decide for themselves if they’re ok with it.
In practice, I suspect the average adult is as aware of how much their devices spy on them as they are of the terms and conditions of the products and services they use — a distant and meaningless theoretical that might as well be a work of fiction.
I like those devices too, but they, and all other kids smart-watches, have the same issue - huge attach surface due to use of cloud-based third party servers to gather and display information, change configuration of the device with a parent's smartphone via an app. I, personally, don't care about that level of convenience, which imposes lower security. I would prefer information about location to arrive even via SMS/email in form of good-old GPS coordinates, which can be requested only from a list of pre-approved phone numbers, all of which are configured using physical USB connection. The only problem with such an approach is hijacking of the phone number of one of parents, but that is very unlikely.
[+] [-] brobdingnagians|6 years ago|reply
[+] [-] bluGill|6 years ago|reply
[+] [-] cstuder|6 years ago|reply
[+] [-] ngngngng|6 years ago|reply
[+] [-] MassiveAttacks|6 years ago|reply
[+] [-] jeena|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] Maximus9000|6 years ago|reply
Jesus!
[+] [-] nkrisc|6 years ago|reply
[+] [-] mikestew|6 years ago|reply
Because the whole time I’m reading the article thinking, “oh, c’mon, I could scrape together capital to do better than that. Ain’t gonna be $69 at Wal-Mart, though.” As I designed it in my head, I realized that for $200 I’d redesigned what Apple already sells, and my low volume would have a hard time beating $200 on cost.
[+] [-] raxxorrax|6 years ago|reply
[+] [-] mikestew|6 years ago|reply
“Almost expected”? Only if one is there for the cash-grab.
[+] [-] ehnto|6 years ago|reply
[+] [-] perttir|6 years ago|reply
[+] [-] tasssko|6 years ago|reply
[+] [-] Tokiin|6 years ago|reply
https://foundation.mozilla.org/en/privacynotincluded/
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] skocznymroczny|6 years ago|reply
[+] [-] TeMPOraL|6 years ago|reply
[+] [-] ramblerman|6 years ago|reply
[+] [-] ben_w|6 years ago|reply
In practice, I suspect the average adult is as aware of how much their devices spy on them as they are of the terms and conditions of the products and services they use — a distant and meaningless theoretical that might as well be a work of fiction.
[+] [-] saagarjha|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] mike_hock|6 years ago|reply
[+] [-] LinuxBender|6 years ago|reply
[+] [-] dang|6 years ago|reply
[+] [-] JoeAltmaier|6 years ago|reply
[+] [-] Dwolb|6 years ago|reply
The core team is all ex-Moto engineers and was built from the ground up in the US. Based out of Chicago I believe.
[+] [-] nuccy|6 years ago|reply
[+] [-] faitswulff|6 years ago|reply