With APIs catching on as an efficient way to incorporate powerful functions into mobile devices, just one vulnerability can endanger lives.
Last week, a GPS tracker service aimed at helping caregivers to manage the activities of vulnerable people (children and elderly with dementia) was found to contain serious vulnerabilities.
According to cybersecurity experts, Chinese developer 3G Electronics’ SETracker app for iOS and Android one security issue involved an unrestricted application programming interface (API) that could allow hackers to change device passwords, access the built-in camera, and hijack the device to send messages or make calls.
The software’s source code was also found by the researchers to be accidentally made publicly available via a compiled node file hosted online as a backup without protection. Passwords, email, SMS, photos and credentials were available to view.
The app is available on iOS and Android and has been downloaded over 10 million times. How can something so wrong happen to something designed to help the vulnerable?
The use and abuse of APIs
Usually, when we talk about vulnerabilities there is a lot at stake as sensitive information such as usernames and passwords, credit card data or banking information are exposed. There is no doubt that the exposure of such data could turn our lives upside down, but they do not quite compare to cases where human life itself is at stake. Said Boris Cipot, Senior Security Engineer, Synopsys Software Integrity Group: “In this case, as a result of a vulnerability in the API, an attacker could gain control and deliver messages through it. As one of the functionalities of the smartwatch is to remind the user to take their pills, the attacker could simply trigger more alerts than permitted; therefore, endangering the user’s life. This is just one example of how the device could be manipulated.”
Cipot noted that sending fraudulent messages, controlling SMS traffic, blocking the GPS trackers on the tracking device or even accessing the camera as well as stored images are only some of the many capabilities the attacker could abuse. Furthermore, the publicly-available source code for some applications has serious flaws affecting hardcoded credentials, server information of the SETracker ecosystem database access and more.
“The good thing is that 3G-Electronics has removed the problems and changed the exposed passwords. However, this should be a wakeup call to every IoT provider; overlooking product security and quality can have a huge impact on many lives. Take care of your code. Be really thorough when looking for vulnerabilities in your code or the code of third parties. Those vulnerabilities can be easily detected with static analysis security tools (SAST) during *development and therefore, can be avoided. Do not let mistakes like this ruin your company’s name and credibility; rather, be a company that your users can trust,” said Cipot.
This incident has brought to light the potential of APIs for malicious abuse or exploits. The world has been put on alert due to this one of many fiascoes in smart devices, but not every device developer will heed best practices for data protection and general cybersecurity. “One way to resolve this issue may be in setting a standard of programming and testing for all IoT devices that are being offered in the market. The UK had previously announced initiatives, be it for autonomous driving or for general IoT devices. I hope that others will follow,” added Cipot.
Viewpoint of an ethical hacker
Security weaknesses in IoT devices continue to make headlines, especially in the healthcare sector. It is not surprising that there is a real push to ensure medical device providers in particular have a process to accept vulnerability reports from third party researchers.
Said Bill Lummis, Technical Program Manager of ethical hacking and bug bounty network HackerOne: “The FDA recently released guidance on how providers should do this because any issues in the device are really messy to clean up. The European Telecommunications Standards Institute ETSI has also recently released guidance for all IoT manufacturers selling in Europe on the same theme. However, in this case, the weakness actually wasn’t in the device but was a bug in the API that communicated with the watch—a super common vulnerability that we see on thousands of customer assets.”
Being part of the ethical hacking community, Lummis feels it is great to see that 3G Electronics responded to the researchers and swiftly fixed the vulnerability. “This speedy mitigation shows just how important it is to be open to working alongside the creative and diverse hacking community, who genuinely want to help secure products for those who need them.”
On the flip side, speedy mitigation is no consolation if just one minute of a data breach can compromise the lives of many users. In fact, the irony of technology lies in the fact that its double-edge sword can multiply the devastation of privacy breaches faster than ever, when cybersecurity is not tightly reined-in and natively built into every application from scratch. In the digitalized world, prevention and deterrence have to be the only cybersecurity cure.