Issue 92: APIs putting dementia patients at risk ⚕️, OAuth simulators

This is one of those API vulnerabilities that can have life-or-death consequences: Pen Test Partners found serious API vulnerabilities in SETracker, a backend service behind kids’ smartwatches, car trackers, dementia patients’ devices, to name but a few.

SETracker is owned by a Chinese 3G Electronics, and widely used especially in budget smart tracker devices. Pen Test Partners analyzed the source code of SETracker, and found plenty of vulnerabilities in it.

The familiar concerns — like spying and unsolicited calls — were there, but some of the findings were more concerning. For example, attackers could send notifications on the smartwatches for people suffering from dementia to take medication, which could potentially lead to fatal overdoses. Or, in fact, any kind of notifications to any of the devices, with more potential sad outcomes.

The most serious and over-arching vulnerability, and one that more or less enabled the others, was that the server-to-server API was “protected” with a static key and that key was hard-coded in the source code. This meant that attackers could find and reuse the key that allowed them to communicate to SETracker servers like just another trusted server.

3G Electronics was responsive to researchers’ report and the vulnerability has now been fixed.

Pen Test Partners has previously made a similar discovery in the Thinkrace platform for smartwatches and tracker devices, featured in our issue 63. There’s no shortage of the smart tracker vulnerabilities covered in our previous issues either: car trackers in issues 27 and 29, and smartwatches in issues 7, 18, 19, 26, 27, 59, 78…

Jason Kent has found an API vulnerability in Kasa Cameras, owned by TP-LINK.

Authentication errors disclose whether or not an account exists because the error messages are too verbose and give away details. This makes it easier for attackers to enumerate email addresses and perform take-over attacks, like credential stuffing.

Don’t make attackers’ lives easier: always make sure your API responses — both success and error messages — do not reveal details that help in attacks or figuring out inner workings of your system.

Want to experiment with different OAuth2 and OIDC flows? Check out these two cool simulators that make it easier to understand the different flows in practice:

• Aaron Parecki’s OAuth 2.0 Playground
• Philippe De Ryck’s OAuth 2.0 Flow Simulator

On July 23rd, Isabelle Mauny is hosting a webinar about the use of OpenAPI REST API definitions as the foundation of the positive API security model, and compares this approach with machine learning / AI / anomaly detection.

Click here to enroll and reserve your spot.