Skip to main content

Smartwatch security flaw could lead to overdoses and deaths

person using a smartwatch
(Image credit: Shutterstock)

Dementia patients who use a popular mobile app designed to work with  smartwatches and GPS tracking devices could accidentally overdose on their medications due to a string of security flaws in the app.

Security researchers at Pen Test Partners have discovered several flaws affecting the SeTracker and SeTracker2 apps, which are available for both Android and iOS and run on, among other things, smartwatches designed for people with dementia.

Serious flaws

The apps, created by China-based 3G Electronics, tell millions of vulnerable users when to take their tablets and complete certain tasks. They are also used to interact with smartwatches for children and with GPS vehicle trackers. 

However, the researchers have warned that the SETracker applications contain serious security flaws that could let hackers gain access to millions of smartwatches used by dementia patients. 

They said: “The SETracker platform supports automotive trackers, including both car and motorcycle, often embedded in audio head units, and dementia trackers for your elderly relatives. The vulnerabilities discovered could allow control over ALL of these devices.”

Pen Test Partners also shot a video of their proof-of-concept exploit in action.

Deadly consequences 

In their investigation, the researchers found an unrestricted server-to-server API in the apps, and as a result were able to do things like make calls, send messages, spy on devices, send fake messages, stop a car engine and access cameras.

But one activity that could have potentially life-threatening consequences is telling a vulnerable user to take their medication.

The researchers warned: “These watches are not just marketed at children. Many use them for elderly relatives or family members with dementia. 

“It is trivial to send a command to the watch that prints ‘TAKE PILLS’ on the screen, which could result in dementia patients ‘over dosing’ on their medication, which may be life-threatening.”

The researchers were also able to view the apps' source code, which was publicly accessible. As a result, hackers could access things like:

  • MySQL passwords on all databases
  • Aliyun (Alibaba Cloud) file buckets credentials (an Amazon S3 equivalent with ALL their pictures)
  • Email credentials
  • SMS credentials
  • Redis credentials (for an open-source database platform)
  • IPs (Internet Protocol addresses) and services of 16 servers
  • The entire server-side source code for SETracker.
  • The default password "123456", which is hard-coded in the source code, although there is a way for a user to change this.

Fixing the issue

After Pen Test Partners alerted the app maker of these flaws, the vulnerabilities were patched.

Pen Test Partners confirmed: “We contacted 3G Electronics to ask them to shut down the API, given our (and others') previous efforts to disclose vulnerabilities [with which] we didn’t expect to have much success.

"Surprisingly, within 4 days from the initial disclosure, 3G Electronics had modified the server-to-server API by restricting it to specific IP’s.”

Devices like smartwatches are often affected by security flaws and are subsequently targeted by hackers. Users are advised to create unique passwords for app credentials, to only purchase reputable devices and ensure their apps are up-to-date.