Smartwatch hack could trick patients to ‘take pills’ with spoofed alerts

Security researchers say a smartwatch, popular with the elderly and dementia patients, could have been tricked into letting an attacker easily take control of the device.

These watches are designed to help patients to easily call their carers and for carers to track the location of their patients. They come with their own cellular connection, so that they work anywhere.

But researchers at U.K.-based security firm Pen Test Partners found that they could trick the smartwatch into sending fake “take pills” reminders to patients as often as they want, they said.

“A dementia sufferer is unlikely to remember that they had already taken their medication,” wrote Vangelis Stykas in a blog post. “An overdose could easily result.”

Researchers triggering the “take pill” alert on a vulnerable smartwatch. (Image: Pen Test Partners/supplied)

The vulnerabilities were found in the back-end cloud system, known as SETracker, which powers the smartwatch. The same cloud system also powers millions of other white-label smartwatches and vehicle trackers across Europe, all of which were vulnerable to basic attacks, the researchers said.

The researchers found a copy of the source code that powers the back-end cloud system, allowing the researchers to find security weaknesses in the code. One of the major flaws found was that the server was using a hardcoded key which, if used, an attacker could have sent any commands to remotely control any one of these devices.

With this key, an attacker could trigger the “take pills” alert, secretly make phone calls from the device, send text messages, or — in the case of vehicle trackers — cutting the engine altogether.

The code also had passwords and tokens to SETracker’s cloud storage, which the researchers believe — based on the code — stored data uploaded by these devices. But the researchers were unable to check as doing so would have broken U.K. computer hacking laws.

The researchers said that the vulnerabilities have now been fixed. It isn’t known if the flaws had been exploited by someone else.

This latest research comes just months after Pen Test Partners found similar vulnerabilities in another widely-used white-label child-tracking smartwatches.

Security, or a lack of, is a growing trend among smart device makers, often which build devices with little consideration for good cybersecurity practices. That prompted the U.K. government to propose new legislation that would help improve their security by mandating that smart devices must be sold with a baseline level of security, such as unique passwords.

Smartwatch hack could trick patients to ‘take pills’ with spoofed alerts

Security researchers say a smartwatch, popular with the elderly and dementia patients, could have been tricked into letting an attacker easily take control of the device.

These watches are designed to help patients to easily call their carers and for carers to track the location of their patients. They come with their own cellular connection, so that they work anywhere.

But researchers at U.K.-based security firm Pen Test Partners found that they could trick the smartwatch into sending fake “take pills” reminders to patients as often as they want, they said.

“A dementia sufferer is unlikely to remember that they had already taken their medication,” wrote Vangelis Stykas in a blog post. “An overdose could easily result.”

Researchers triggering the “take pill” alert on a vulnerable smartwatch. (Image: Pen Test Partners/supplied)

The vulnerabilities were found in the back-end cloud system, known as SETracker, which powers the smartwatch. The same cloud system also powers millions of other white-label smartwatches and vehicle trackers across Europe, all of which were vulnerable to basic attacks, the researchers said.

The researchers found a copy of the source code that powers the back-end cloud system, allowing the researchers to find security weaknesses in the code. One of the major flaws found was that the server was using a hardcoded key which, if used, an attacker could have sent any commands to remotely control any one of these devices.

With this key, an attacker could trigger the “take pills” alert, secretly make phone calls from the device, send text messages, or — in the case of vehicle trackers — cutting the engine altogether.

The code also had passwords and tokens to SETracker’s cloud storage, which the researchers believe — based on the code — stored data uploaded by these devices. But the researchers were unable to check as doing so would have broken U.K. computer hacking laws.

The researchers said that the vulnerabilities have now been fixed. It isn’t known if the flaws had been exploited by someone else.

This latest research comes just months after Pen Test Partners found similar vulnerabilities in another widely-used white-label child-tracking smartwatches.

Security, or a lack of, is a growing trend among smart device makers, often which build devices with little consideration for good cybersecurity practices. That prompted the U.K. government to propose new legislation that would help improve their security by mandating that smart devices must be sold with a baseline level of security, such as unique passwords.