fabsh/gist:1cb45d47889c7b7d797eadb4daf04afd

## gistfile1.txt
Listening nightmare: GPS-Smartwatch for children and seniors gets eavesdropped on by strangers

An investigative search by c't und heise online proves: Hundreds of smart watches sold in Germany can be converted from the Internet into a bug in no time at all, without the wearer noticing.

GPS tracking smart watches sold in Germany via Amazon by a small Austrian-British company contain horrendous security gaps through which watch owners can be tracked and monitored. As research by c't and heise online proves, the Smartwatch Paladin from the manufacturer Vidimensio can be made to call any telephone number with a simple web request without the wearer noticing. The called party can then listen to everything that happens near the watch. The watches designed to make the wearers safer - Vidimensio promotes its products to protect children and the elderly - thus become bugs that can be controlled by strangers from the Internet.

The clock becomes a bug in no time

No login or password is required to activate the watch's listening function. Only the unique ID of the device must be known. Clocks include the manufacturer's Android and iOS apps, which communicate with the clock via its server. Until recently, commands, including the device ID, were transmitted in plain text. With a few simple steps we were able to read the ID of our clock and write down the server commands. The IDs seem to be assigned one after the other, which makes it trivial to find the watches of other Vidimensio customers. Armed only with a Linux command line and the ID of a clock, you can listen to it.

The manufacturer discusses instead of safeguarding

The security gap was discovered by independent security researcher Christopher Dreher. He immediately recognized the explosive nature of the topic and turned to the editors of c't und heise online: We should contact the manufacturer and make sure together that the security holes are plugged before we publish the story. The entire odyssey of our difficult communication with the company Vidimensio is described in the article Caution, watch listens to in the current c't. To make a long story short: Most of the security holes in the clock are still open and especially the eavesdropping command still works.

Informed by us at the beginning of January about the security problems in its products, the manufacturer has not been able to tell us the exact date for solving the security problems. Instead, the company owner discussed with us whether reporting was justified. We continued to try to convince him how serious the weaknesses discovered by Dreher are. According to the security researcher's advice, network traffic between apps and server alone is now at least TLS-encrypted after an app update. However, since the apps do not implement certificate pinning, we were still able to read the ID of our test clock after the update using common tools such as mitmproxy.
Prohibited in Germany

The functional scope of the Vidimensio watch seems to apply exactly to the description of "children's watches with listening function", of which the Federal Network Agency warned in November 2017: "The app owner can determine that the watch calls any telephone number unnoticed by the wearer and his environment", the authority says in its message. "This enables him to listen unnoticed to the wearer's conversations and his surroundings. Such a listening function is prohibited in Germany." At the time, the Federal Network Agency recommended that the owners of such devices should destroy them and keep a record of the destruction of the watch. According to those responsible at Vidimension, they have known about this warning from the authorities since the end of last year.

Probably other watch models affected

The experience gained during our research with the Paladin watch model and Vidimensio's server infrastructure suggests that other watches from the manufacturer also contain similar security vulnerabilities. However, those responsible are convinced that their watches are safe. "Vidimensio asserted that the listening function on the Paladin watch as well as on other "of ours" watches had been "switched off". At the time we received this statement, however, we were still able to eavesdrop on our test watch.

In addition to the eavesdropping function, attackers can also query the current position of the clock in real time using a server command. Additionally, we were able to reset our clock by remote command and gain access to the web interface for our paladin. In this way, an attacker could have read the contact book stored on the watch and our personal data.

Translated with www.DeepL.com/Translator
	Listening nightmare: GPS-Smartwatch for children and seniors gets eavesdropped on by strangers

	An investigative search by c't und heise online proves: Hundreds of smart watches sold in Germany can be converted from the Internet into a bug in no time at all, without the wearer noticing.

	GPS tracking smart watches sold in Germany via Amazon by a small Austrian-British company contain horrendous security gaps through which watch owners can be tracked and monitored. As research by c't and heise online proves, the Smartwatch Paladin from the manufacturer Vidimensio can be made to call any telephone number with a simple web request without the wearer noticing. The called party can then listen to everything that happens near the watch. The watches designed to make the wearers safer - Vidimensio promotes its products to protect children and the elderly - thus become bugs that can be controlled by strangers from the Internet.

	The clock becomes a bug in no time

	No login or password is required to activate the watch's listening function. Only the unique ID of the device must be known. Clocks include the manufacturer's Android and iOS apps, which communicate with the clock via its server. Until recently, commands, including the device ID, were transmitted in plain text. With a few simple steps we were able to read the ID of our clock and write down the server commands. The IDs seem to be assigned one after the other, which makes it trivial to find the watches of other Vidimensio customers. Armed only with a Linux command line and the ID of a clock, you can listen to it.

	The manufacturer discusses instead of safeguarding

	The security gap was discovered by independent security researcher Christopher Dreher. He immediately recognized the explosive nature of the topic and turned to the editors of c't und heise online: We should contact the manufacturer and make sure together that the security holes are plugged before we publish the story. The entire odyssey of our difficult communication with the company Vidimensio is described in the article Caution, watch listens to in the current c't. To make a long story short: Most of the security holes in the clock are still open and especially the eavesdropping command still works.

	Informed by us at the beginning of January about the security problems in its products, the manufacturer has not been able to tell us the exact date for solving the security problems. Instead, the company owner discussed with us whether reporting was justified. We continued to try to convince him how serious the weaknesses discovered by Dreher are. According to the security researcher's advice, network traffic between apps and server alone is now at least TLS-encrypted after an app update. However, since the apps do not implement certificate pinning, we were still able to read the ID of our test clock after the update using common tools such as mitmproxy.
	Prohibited in Germany

	The functional scope of the Vidimensio watch seems to apply exactly to the description of "children's watches with listening function", of which the Federal Network Agency warned in November 2017: "The app owner can determine that the watch calls any telephone number unnoticed by the wearer and his environment", the authority says in its message. "This enables him to listen unnoticed to the wearer's conversations and his surroundings. Such a listening function is prohibited in Germany." At the time, the Federal Network Agency recommended that the owners of such devices should destroy them and keep a record of the destruction of the watch. According to those responsible at Vidimension, they have known about this warning from the authorities since the end of last year.

	Probably other watch models affected

	The experience gained during our research with the Paladin watch model and Vidimensio's server infrastructure suggests that other watches from the manufacturer also contain similar security vulnerabilities. However, those responsible are convinced that their watches are safe. "Vidimensio asserted that the listening function on the Paladin watch as well as on other "of ours" watches had been "switched off". At the time we received this statement, however, we were still able to eavesdrop on our test watch.

	In addition to the eavesdropping function, attackers can also query the current position of the clock in real time using a server command. Additionally, we were able to reset our clock by remote command and gain access to the web interface for our paladin. In this way, an attacker could have read the contact book stored on the watch and our personal data.

	Translated with www.DeepL.com/Translator