Specialists in a pentesting course ensure that it is possible to hack the software with which some smartwatches used to support some elderly or dementia patients work. Many smartwatches are programmed to remind patients when to take their medications, so threat actors could intervene and cause death from medical overdoses.
The flaw was reported to multiple manufacturers, who rushed to release the relevant safety fixes. However, this does not fix the problem completely, as the application linked to these devices has been downloaded at least 10 million times, so the scope of a malicious campaign could be huge.
The vulnerability was reported by Pen Test Partners, a UK-based information security firm. The experts of the pentesting course mention that it is impossible to determine if any threat actors have managed to exploit the flaw.
These watches can be useful so that patients with missing dementia can be located using the GPS system, while nurses or family members can also schedule them so patients don’t forget to take their medicines.
The flaw lies in a system called SETracker, used in a wide range of low-end smartwatches available anywhere in e-commerce. If exploited, this flaw allows threat actors to obtain the location of the device, as well as modify its settings and send alerts to users.
On the other hand, malicious hackers can alter the way reminders are received to take the medicines, which could have fatal consequences for patients: “A patient with dementia is unlikely to remember that they had already taken their medication,” pentesting experts mention.
The developer of this system, based in China, received the alert from Pen Test Partners, so the vulnerability was corrected soon after. Users of these smartwatches should not perform additional actions.
Harold Thimbleby, a professor at Swansea University, says standardized use of technology can become a problem for the tech industry: “People think programming is easy, so products are released for sale without performing the required testing,” he adds.
For further reports on vulnerabilities, exploits, malware variants and computer security risks, it is recommended to enter the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.