Projects:2018s1-167 Security Assessment of Watchem and Moochies Watches
Narayan Shanmuganathan (Team Leader)
Georgia Castignani (Technical Lead)
Nooragha Sharifi (Document Manager)
We acknowledge our families, for raising and always supporting us. We thank our project supervisors Matthew Sorell and Richard Matthews, for always being willing to guide our group. We recognise the Spacetalk Honours project member, Brent Williams for assisting in the project. We value our mentor, PhD student, Filip Karisik, for providing us feedback on how to structure our thesis. We are thankful to fellow Honours students Erwin Ng, Inder Singh, Munirah Taliah De Vries and Takudza Taziva for teaching me on the Android ecosystem. We are grateful to SAAB graduate engineer, Maruf Aziz, for educating us on the fundamental principles behind computer network protocols. Last, but certainly not least, we thank Mr Pranjal Chowdhury for his insight into the children's safety watches ecosystem.
Numerous safety watches, designed for children, have been banned in Germany due to potential security and privacy concerns . Generally, these devices are linked to an application that allows the child’s guardian to monitor them. If a cyber-vulnerability exists within such a watch, it is conceivable that a hacker can use this vulnerability to obtain sensitive data from the watch, reducing the overall privacy and safety of the wearer. A few of these examples include unauthorised access to the child’s GPS coordinates, remote extraction of phone numbers and voice data exfiltration . Thus, it is imperative that these safety wearables are secure, to avoid unintended parties being privy to the child’s private data.
The aim of this project was to create a security framework that assesses the security vulnerabilities of a children’s safety watch. Before designing the framework to achieve this aim, two objectives had to be satisfied. The first objective was to obtain preliminary results demonstrating that critical vulnerabilities exist in children’s safety watches in Australia. Accomplishing this, emphasized the importance of creating a security framework to assess these devices. The second objective was to pentest selected children’s safety watches. Meeting this objective allowed the group to gain the knowledge required to realise the project’s aim. The security framework was written in a concise and easy to understand manner. This enables individuals without a technical background to pentest children’s safety watches with the assistance of the group’s security framework.
Children’s safety watches are Internet of Things (IOT) devices that aim to increase the security of the children wearing them [3, 4, 5, 6]. Generally, these devices allow a parent/guardian to monitor the real-time GPS location of their child, specify the contact list or receive SOS alarms from the linked children’s safety watch [3, 4, 5, 6]. However, concerns have been raised regarding the security of these devices [1, 2]. The Federal Network Agency, a German telecoms regulator, banned children’s safety watches from being sold in the country, for numerous privacy and security concerns . Likewise, the Norwegian Consumer Council (NCC) found significant critical security flaws in available devices, following extensive pentesting . The NCC stated that two of the pentested devices have critical security flaws, that can theoretically allowing an attacker to take control of the linked application, to gain access to the child’s personal details and real-time GPS location. Creating a framework to assess the security of a children’s safety watch provided knowledge on the critical security vulnerabilities associated with these devices. The results of the project are of interest to telecommunications service providers who sell these devices to the public. However, children and their families, the primary users of these watches, will be the ultimate beneficiaries of the project, as the framework is intended to increase the security standards of these devices.
A children’s safety watch is marketed to increase the safety of the child wearing the device [3, 4, 5, 6]. For instance, the Today Show had a segment outlining how one brand of children’s safety watch could increase the safety of the wearer . However, we found several critical security vulnerabilities in this children’s safety watch that will be discussed in the vulnerability assessment section. This watch uses a system architecture that is utilised in several other children’s safety watches . The creators of this system architecture (name withheld for security reasons), estimate that the system architecture’s linked application has 60,000,000 potential users. This highlights that a security framework should be available to evaluate the security of individual devices. Creating a framework to assess the security vulnerabilities of a children’s safety watch benefits multiple stakeholders. In general, the framework assists telecommunications companies to assess the security vulnerabilities of these devices. Furthermore, the project will raise awareness of the potential dangers of these devices with parents/guardians and help to increase the safety of children wearing such devices.
There have been some research papers which have focused on developing a testing methodology for discovering vulnerabilities in general wearable IoT devices. In  a dynamic testing methodology which focuses on simulating the realistic environmental conditions of the wearable IoT devices has been discussed. This paper uses a black box testing methodology while assuming only the final product is available, hence the approach used in this paper cannot provide a mapping of the IoT device to a specific security level, but rather list the results of the tests. Vulnerabilities have also already been demonstrated for 3 distinct wearables devices that collect user data (i.e. fitbits) and communicates with the user’s smartphone. The vulnerabilities exposed in this paper relates to elements in the Wireless Body Area Network (WBAN) architecture, and Bluetooth Low Energy (BLE) protocols. These vulnerabilities are verified experimentally through 3 specific case studies which uses general attack processes developed in this paper . In this paper we propose a similar methodology as  and reduce scope to wearables marketed as children’s safety watches.
Five selected watches were pentested according to their key characteristics. This included the system architecture, the linked application/website, SMS command functionality, communication channels and security protocols. Furthermore, the vast majority of the utilised attack vectors are applicable all children’s safety watches and were adapted from existing pentesting techniques. After executing an attack vector, the methodology and results of the experiment were documented. Computer programs such Charles Proxy, Telnet, Apktool and Android Studio were used to assess the vulnerability of these devices. Charles proxy was used to check the network 14 protocols and packets of a watch’s linked server. Telnet was utilised to send and receive data packets on a local computer. Apktool decompiled the linked application of a watch into source code and Android Studio was used as an Integrated Development Environment (IDE) to analyse this code. The SMS commands experiments revealed critical security flaws in watches A, B, C and D. These devices had identical vulnerabilities, as they used the same system architecture. Consequently, our results were sent to the relevant agencies, such as the Australian Federal Police (AFP). Following this, we decided to focus more on Watch E, as it appeared to be more secure, following the conclusion of the SMS commands experiment.
We reported our SMS vulnerability findings to relevant agencies in Australia, and we understand action is being taken to protect Australian consumers both of the watches product shortcomings. These devices, can be instructed to perform certain actions if the correctly formatted sms commands are sent to watches number . Using these commands, we were able to double register the devices to prevent the parent from accessing the watches via the corresponding application, remotely monitor the sounds recorded by the watches microphone without the knowledge of the wearer and access each watch’s private data such as GPS location   .
Further pentesting experiments will need to be made to create a robust security framework. For example, the group has not spent time pentesting a children’s safety watch using the BLE. BLE is a common wireless standard that is used in many WIoT devices. Applications often use BLE to send private data. However, BLE is known to be susceptible to passive eavesdropping, identity tracking and MITM attacks. Thus, children’s safety watches should avoid the use of BLE if possible. Nevertheless, watch E uses BLE and consequently, the group will focus on pentesting this wireless standard. Ubertooth is an opensource project that is used to capture and demodulate BLE signals for these purposes.
The security framework should be used in additional case studies (i.e. assess extra children’s safety watches) for review purposes. If further improvements to the framework are required, then additional research will be conducted to implement these changes. Lastly, the framework can be adapted to fit other specific IoT devices, such as a ankling monitor.
 J. Wakefield, "Germany bans children's smartwatches", BBC News, 2018. [Online]. Available: http://www.bbc.com/news/technology-42030109.
 S. Siboni, A. Shabtai, N. Tippenhauer, J. Lee and Y. Elovici, "Advanced Security Testbed Framework for Wearable IoT Devices", ACM Transactions on Internet Technology, vol. 16, no. 4, pp. 1-25, 2016.
 M. Langone, R. Setola and J. Lopez, "Cybersecurity of Wearable Devices: An Experimental Analysis and a Vulnerability Assessment Method", 2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC), pp. 304-309, 2017.
 C. Meng and C. Meng, "Kids GPS Smart Watch FAQ", Charlottemengchun.blogspot.com.au, 2018. [Online]. Available: http://charlottemengchun.blogspot.com.au/2016/07/kids-gps-smart-watch-faq.html.
 "Q50 smart watch SMS commands:", Kid-Control, 2018. [Online]. Available: https://kid-control.com/ufaqs/q50-smart-watch-sms-commands/.
 "Uni Reach", Uni-reach.com, 2018. [Online]. Available: http://www.uni-reach.com/UserFiles/Download/2014/2/26/20142261536273795.pdf.
 S. Lam Po Tang, "Recent developments in flexible wearable electronics for monitoring applications", Transactions of the Institute of Measurement and Control, vol. 29, no. 3-4, pp. 283-300, 2007.
 "CCTR-631 GPS Watch Tracker User Manual", Igps.info, 2018. [Online]. Available: http://www.igps.info/en/cctr-631-gpstracker-en-v1.pdf.
 "Setting of GPS-watch for Kids using SMS-commands", FindMyKids Blog, 2018. [Online]. Available: https://findmykids.org/blog/en/setting-of-gps-watch-for-kids-using-sms-commands/.
 B. Bhushan, G. Sahoo, and A. K. Rai, “Man-in-the-middle attack in wireless and computer networking #x2014; a review,” in 2017 3rd International Conference on Advances in Computing,Communication Automation (ICACCA) (Fall), pp. 1–6, Sep 2017, [Accessed 11/May/2018].
 “What is a man-in-the-middle-attack and how to prevent it.” https:// www.globalsign.com/en/blog/what-is-a-man-in-the-middle-attack/, Published 01/Mar/2017, [Accessed 01/Apr/2018]. Globalsign.
 H. Kolamunna, J. Chauhan, Y. Hu, K. Thilakarathna, D. Perino, D. Makaroff, and A. Seneviratne, “Are wearables ready for https? on the potential of direct secure communication on wearables,” in 2017 IEEE 42nd Conference on Local Computer Networks (LCN), pp. 321–329, Published Oct 2017, [Accessed 09/May/2018].