Wherecom Technology Limited is a Chinese tech company which provides location-based services. Wherecom’s core product includes tracking and positioning software platform which features positioning, analytic coordinate, SOS support, family numbers, voice message etc. The Wherecom products are specifically designed to keep watch on kids and pets so parents can keep calm while they are out.
The company claims that the data is secure with them but there are a few vulnerabilities. One Reddit forum user traced it and exploited it to reveal the issue.
As the Ukrainian user claims he purchased a smartwatch model Fixitime 3 from Elary which is a Wherecom product for his kid a month ago. He bought the Fixitime to keep watch on his newly school going kid.
A month ago I bought Fixitime 3 smart-watch from Elary (actually Wherecom company’s product from China) for my kid who is about to enter the first primary grade. This watch is a device that allows to track kid’s position, call him, chat with voice, get photos from his watch and so on.
The Ukranian programmer explained in a Reddit post that while checking for the security level of this watch he intercepted a major vulnerability in the watch. Using which he was able to add any kid’s watch in his child’s school to his Wherecom mobile app.
I installed Wherecom mobile app added my kid’s watch to it and started to analyse internet traffic from this app. It took me only half an hour to find a vulnerability and to add another kids watches to my app in terms of experiment.
After adding other kid’s watches to his app he was able to get GPS coordinates of these kids, get other detailed information about them, such as name, gender, age, height, weight, birthday, grade, avatar, cell phone number and so on. He was able to do everything their parents could be able to do with mobile apps on devices. He was even able to spy on other kids activities secretly.
This is not a single issue in their app, they even use HTTP instead of HTTPS protocol for data transmissions. Which is like a suicide for a tech giant considering frequent data breaches happening all around. Using HTTP protocol means anyone with a bit of technical knowledge can intercept your traffic on the public network with ease.
Being a concerned citizen and parent he informed company representative about this security flaw a month ago. Wherecom has fixed some breaches from their app but the major vulnerability is still there.
As the security of my kid was also affected, I decided to send all vulnerability details to Wherecom support. Nearly a month has passed since, but the vulnerability is still open. Some breaches were fixed, but not the main one.
As mentioned by him 200k to 300k devices will be affected by this vulnerability and most of them are kids.
We are raising this issue because no other media has reported this yet. We will suggest all readers to use precaution while using WhereCom product until the company resolves the issue.
We have tried to contact the WhereCom but till now we have got no response. We will keep you updated about this issue if any update comes in. Stay tuned!