At the end of March, a thematic security conference Troopers 2019 was held in Heidelberg (Germany). Among other reports, a report was made by specialist Christopher Bleckmann-Dreher, in which he reported on the blatant irresponsibility of one of the local manufacturers of smart watches with tracking coordinates in GPS system.
This story began at the end of 2017 after the federal security agency banned and required owners to destroy watches with the possibility of remote one-way wiretapping. Such devices could be used for covert espionage and are banned in Germany. On this wave, Drecher studied the Paladin watch model of the Austrian company Vidimensio. In the process, it turned out that the APIs on the Vidimensio servers are vulnerable to interception of data, including tracking the coordinates of the owner, and allow remote hacking using simple commands.
Vidimensio watches are quite popular in Germany and Austria. The manufacturer was notified about the vulnerability, but, as it turned out, closed only the possibility of remote wiretapping. Despite repeated requests from a specialist to Vidimensio and even appeals to the federal authorities, nothing happened.
Finally, Dreher decided on an atypical action. Using one of the vulnerabilities he discovered, the researcher sent out the coordinates he needed to more than 300 hours of Vidimensio. Interestingly, this watch was considered destroyed, as required by the federal security agency. But this did not prevent the βdestroyedβ clock from appearing on the map for tracking coordinates and adding up to the word βPWNED!β (Hacked!) is a typical hacker greeting after a successful hack.
The specialist hopes that such a demarche will arouse interest in the problem and help protect unsuspecting owners from the danger of personal data leaks. By the way, about 20 models of Vidimensio watches, the list of which you can see above, are affected by the discovered vulnerability, and these devices are often taken for children and elderly parents who generally understand little about security.
Source: 3dnews.ru