Projects:2018s1-168 Penetration Testing of the SpaceTalk Tracking Watch
Wearable devices have become a popular commodity across the globe, with many different brands, shapes, models and sizes available. Wearable technologies have evolved into children’s wearable devices which allow parents to monitor and contact their child. In this project, the SpaceTalk safety watch from All My Tribe will be investigated to identify any security vulnerabilities in the device.
The SpaceTalk watch has minimal features reducing the complexity of the user interface and allowing a child to be able to call and receive messages preselected contacts. The watch also acts as a GPS tracking device which allows safe locations to be set like a child’s home or school. Other features on the watch include a timer, pedometer, torch function and an SOS button.
In this project, we aim to identify and investigate the security flaws of the SpaceTalk Tracking Watch. After identification, the focus will be on the malicious capabilities of the located flaws and how they may be used to extract and analyse data on the watch to learn schedules and locations of the individual wearing or to falsify data. Ultimately, the aim is to determine if the security protocols on the wearable are sufficient to provide parents with confidence that a child user is safe and that the information contained on the SpaceTalk is accurate and cannot be accessed by unauthorised third parties.
Sasha de Vries
Dr Matthew Sorell
Black Box Testing - Internals of system or device is unknown and by testing functionality further understanding is gained into how the system or device works.
Penetration testing - is a term used to refer to investigate and/or test a system or device for security flaws/vulnerabilities.
White Box Testing - The tester has full understanding of how the system or device operates and conducts tests based on the knowledge
The SpaceTalk watch advertises to parents that they can be confident that their child is ‘safe’ and they know where they are and can contact them at any time. When these watches are used for their designed purpose, they can allow for a higher confidence from the parents that the child remains safe. However, when these watches come under attack, it poses the question if they are secure enough to store a prolonged history of the child’s location. As this sort of data could be used to plan an attack against a child, one example of this the use of using the child’s location to find the route they walk home. With these wearable devices contain sensitive data, relating to the child’s location making the security and confidentiality of the data paramount. Ensuring the security of data is the key to the prevention of malicious manipulations such as for abductions, illegal surveillance or data falsification. Hypothesised security flaws on the device could expose data intended for the parent to a third party attempting to cause harm to the child. Flaws could allow a malicious user's to access and alter data stored on the watch. An example includes that a third party could upload software which allows them to continually surveil the child.
The Spacetalk watch is targeted for children in the age range between 4 and 12 years of age. Based on sales and customer feedback, Spacetalk is forecasted to sell between 120,000 to 180,000 units per annum to children in this age range. The significance of these numbers are that there are thousands to hundreds of thousands of devices being sold which could be more of a danger to your child than a security measure.
The child safety watch allows parents to be confident that their child is ‘safe’ and they know where they are with immediate contact. The concept of these watches sound great when used for designed or ideal purposes but the question is are they safe enough to store a prolonged history of your child’s location. These wearable devices contain sensitive data, relating to the child’s location making the security and confidentiality of the data paramount. Ensuring the security of data is the key to the prevention of malicious manipulations such as for abductions, illegal surveillance or data falsification. Locating security flaws on the device could allow that the data intended for the parent could be accessed or altered by a third party attempting to cause harm to the child. In the worst case scenario, a third party could upload software to the wearable to surveil the child.
The objectives of the project included:
- Investigate the features and capabilities of the Spacetalk watch.
- Use publicly available resources to identify security vulnerabilities or flaws
- Investigate the device using both a black box and white box methodologies
The goals of the project are to locate security flaws, develop countermeasures to flaws, ensure personal data is protected and ensure the device has sufficient security. The first goal is to investigate the SpaceTalk features and capabilities of the watch for security flaws. Any flaws located will be reported to AllMyTribe and possible countermeasures for the flaws will be suggested. By the investigation of the watch, we aim to determine if there are satisfactory protocols in place to ensure personal data is protected and that the security of the device should be sufficient to ensure intrusion from malicious predators is prevented.
The main area of research is into the intrusion of a ‘black box’ device. The SpaceTalk watch is treated like a ‘black box’ with only publicly released data of the device and experimentation being available to determine intrusive pathways into the watch. There are multiple methods being researched and focussed on to attempt to infiltrate the SpaceTalk watch.
Real World Implications
Weaknesses in the security protocols of these devices could result in severe consequences if discovered by an individual who has malicious intent. For example, if the GPS location of the child could be continuously monitored by a felon who wishes to harm the child, that children would be more at risk than without the watch. As the watch provides harmful information, it is detrimental towards the child's safety and should not be worn. Parents trust the provider, All My Tribe, with the data of their child and that the device is secure. The public identification of flaws will develop wavering trust in the products as well as other devices on the market. At the end of the day, these devices were designed to ensure the child’s safety is of high priority while having some independence. Maintaining security and the parent’s faith in the device is of great importance.
The investigation of the Spacetalk watch led to these outcomes:
- Identification of multiple security vulnerabilities which have been reported and patched
- A variety of testing which concluded the watch was designed with a high level of security
- Vulnerabilities are common to other IoT devices
As technology is continually advancing and breaking into aging devices becomes easier with the increased computing available, it is paramount that security comes first. The Spacetalk watch has been designed with great consideration into the security of the device and the user's data.
 ]"Spacetalk - Smart Phone, Watch & GPS - The phone that's best for kids", Spacetalk created by All My Tribe, 2018. [Online]. Available: https://www.allmytribe.com/. [Accessed: 10- Oct- 2018].\
 A. Vasileiadis, A. Anghelus and A. Giannopoulos, "Cyber Security | Ethical Hacking | GDPR – ODIN: automating penetration testing tasks", Prodefence.org, 2018. [Online]. Available: http://www.prodefence.org/odin-automating-penetration-testing-tasks/. [Accessed: 11- Oct- 2018].
M. W. Limited, MGM Wireless HY 2018 Results. MGM Wireless, 2017, last accessed on 11 October 2018. [Online]. Available: https://www.asx.com.au/asxpdf/20180228/pdf/ 43s0qsgj9s81y6.pdf