At a glance.
- Children's wearable devices fall short with respect to privacy.
- Privacy issues persist in the travel industry.
- More organizations disclose exposure in the Blackbaud hack.
Smartwatches for kids are still crazy, after all these years.
WIRED, taking its cue from a study by researchers at the Münster University of Applied Sciences, describes the persistent privacy shortcomings of smartwatches produced for and marketed to children. The researchers were surprised by how little the privacy protections popular devices offered had improved, even after years of warnings and legal action. The study looked at six popular smartwatches sold by JBC, Polywell, Starlian, Pingonaut, ANIO, and Xplora. The JBC, Polywell, ANIO, and Starlian devices were all variations on a single theme, and they were the most fraught with privacy vulnerabilities. The basic device is, in terms of both hardware and backend server architecture, essentially one built by Shenzhen-based white-label shop 3G. If one knew the International Mobile Equipment Identity (IMEI) of a specific child's device, one could spoof communications from smartwatch to server and register a false location for the child, or spoof an audio message that appeared to originate with the watch, or even impersonate the server to command the smartwatch to begin and transmit audio recordings of the watch's surroundings. 3G's backend server is also susceptible to SQL injection vulnerabilities.
When researchers contacted 3G, the company said that it immediately fixed the vulnerabilities and added a layer of encryption. The team at Münster said they appeared to be fixed in the JBC and Polywell devices, but that the Starlian and Pingonaut watches continued to have issues. To be sure, they tested only a small number of smartwatch models, but the researchers think it's a representative sample, and that this particular sector has some work to do on security and privacy.
Which? (sic) finds enduring privacy problems in major travel companies.
The consumer group Which? (sic, the punctuation is in the name itself) reports that it's studied some three-hundred travel brands and found that their websites contained vulnerabilities that could be exploited to obtain customer information. The firms Which? says it looked at included three who've experienced recent, serious, and high-profile compromises: Marriott, British Airways and easyJet. Which? concludes from this that the travel sector hasn't learned its lessons, Cambridgeshirelive reports. “Travel companies must up their game and better protect their customers from cyber threats," said Rory Boland, editor of Which? Travel, "otherwise the ICO must be prepared to step in with punitive action, including heavy fines that are actually enforced." He's speaking of the three firms Which? mentioned in dispatches, all of who say they have in fact taken steps to improve their security posture. In fairness to the travel industry, one must note that the sector has been unusually hard-hit by the COVID-19 pandemic, and companies have a great deal on their plates.
More Blackbaud casualties.
The AP reports that University of Nevada, Reno, alumni and donors may have had their data exposed in the Blackbaud breach. The information at risk includes contact information (basically names and addresses) and the individual's giving history. About two-hundred-thousand people are affected. And in Atlanta, Georgia, according to WSB-TV2, a number of schools and hospitals have been similarly affected, although the report names only two: the Georgia State University Foundation and the Morehouse School of Medicine.
The Blackbaud ransomware incident is clearly going to have repercussions for some time. It should be regarded as a cautionary tale of third-party risk.