• A flaw in a cloud platform belonging to Chinese tech company ThinkRace allows unauthorized persons to access GPS location data without permission
  • This flaw exposes the real-time GPS location of millions of kids wearing ThinkRace smartwatches
  • ThinkRace sells its white-label trackers to various companies that sell it as their own

Many parents buy child-tracking smartwatches so they can monitor their children's whereabouts. Some such trackers even allow parents to set parameters so they can be notified if their children go beyond a set distance from home. These devices are meant to give such mothers and fathers added peace of mind.

A new research, however, found that while a certain brand of smartwatches does allow parents to enjoy such features, a flaw in the company's cloud platform does the opposite – it allows unauthorized persons, whether with or without bad intentions, to also monitor children's locations.

According to research conducted by Pen Test Partners, a company that conducts penetration tests to see if a device offers adequate security, anyone with access to the internet (and a particular set of skills) can access information about the real-time GPS location of children wearing a smartwatch, or carrying a GPS tracker, from a Chinese company called ThinkRace.

In addition to accessing their GPS location, unauthorized persons can also spy on these children and/or listen to the audio recordings they make via the said smartwatches. In the report, Pen Test's Vangelis Stykas even included an image showing GPS locations revealing his son's whereabouts. This info, he said, can be accessed “without needing to authenticate to the correct API account.”

TechCrunch, which received firsthand information from Pen Test, reported that each ThinkRace tracking device connects to the cloud platform, which is what the researchers considered as a “common point of failure.”

Here's why: every command the platform sends to smartwatches is well-documented and does not require authorization to access. Those with the skills and knowledge can easily access these in order to track a device. What's more, since account numbers aren't randomized, hackers and those with malicious intent can access devices in bulk without a lot of effort.

Why this should be a cause for worry

Many consumers might not find the report a cause for worry because they don't use a ThinkRace-branded smartwatch. That's wrong. ThinkRace is one of the largest makers of white-label GPS trackers in the world, and it sells many of these devices to popular companies. These companies, in turn, put their names on the devices before selling them to consumers.

Now what are these companies? ThinkRace's website lists Lenovo, Huawei, Vodafone, Allianz and more as its clients. Perhaps there could be more. Pen Test said “often the brand owner doesn’t even realise the devices they are selling are on a [T]hinkrace platform.” It adds that it's best to avoid using ThinkRace's trackers to keep one's whereabouts hidden from others.

Huawei Watch 2
Huawei is listed as one of ThinkRace's clients. VentureBeat