Scribd Logo
Upload

Welcome to Scribd!

  • TicTocTrack Statement April 16

    Uploaded by

    bengrubb6946
    220 views2 pages
    1) iStaySafe's software development team is reviewing findings from security researchers Ken Munro and Troy Hunt and will complete their review by April 17th. 2) iStaySafe has engaged a penetration testing service to conduct a full audit of their software platform and will provide a summary of the report upon completion. 3) Ken Munro provided additional technical details of vulnerabilities to Karen Cantwell, noting issues with authentication and access controls that could allow anyone to access child tracking data from the watches. iStaySafe is addressing all security issues as quickly as possible.

    Original Description:

    A statement from TicTocTrack.

    Original Title

    TicTocTrack statement April 16

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    1) iStaySafe's software development team is reviewing findings from security researchers Ken Munro and Troy Hunt and will complete their review by April 17th. 2) iStaySafe has engaged a penetration testing service to conduct a full audit of their software platform and will provide a summary of the report upon completion. 3) Ken Munro provided additional technical details of vulnerabilities to Karen Cantwell, noting issues with authentication and access controls that could allow anyone to access child tracking data from the watches. iStaySafe is addressing all security issues as quickly as possible.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    220 views2 pages

    TicTocTrack Statement April 16

    Uploaded by

    bengrubb6946
    1) iStaySafe's software development team is reviewing findings from security researchers Ken Munro and Troy Hunt and will complete their review by April 17th. 2) iStaySafe has engaged a penetration testing service to conduct a full audit of their software platform and will provide a summary of the report upon completion. 3) Ken Munro provided additional technical details of vulnerabilities to Karen Cantwell, noting issues with authentication and access controls that could allow anyone to access child tracking data from the watches. iStaySafe is addressing all security issues as quickly as possible.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 2

    Official Statement 

    16 April 2019

    Official Statement 
    Karen Cantwell, Founder & CEO of iStaySafe Pty Ltd 

    Following our statement issued on 15 April 2019, I would like to provide an update on the 
    steps that we have implemented over the last 24 hours: 
     
    1. Our software development team is currently reviewing the findings of Mr Ken Munro 
    and Mr. Troy Hunt which have been published in recent days. This detailed review 
    commenced upon the restriction of user access to the TicTocTrack application, and 
    we anticipate this review to be completed by no later than the close of business 17 
    April 2019. A separate statement will be issued shortly after the completion of this 
    review, which will also respond in detail to the statements made by Mr. Troy Hunt 
    and Mr. Ken Munro.   
     
    2. We have engaged with an accredited penetration testing service in Australia, who 
    will be conducting a full audit of our software platform. Consistent with our 
    commitment of ongoing and continuous disclosure, we will be providing a summary 
    of this report upon completion.  
     
    We appreciate the information provided by Mr. Munro on the evening of 15 April 2019, 
    which further assisted the completion of item 1 detailed above, and which is included below 
    in the interests of transparency:  
     
    From: ​Ken Munro
    Date: ​Monday, 15 April 2019 at 5:42 pm
    To: ​Karen Cantwell
    Subject: ​RE: Reporting a security flaw

    Hi Karen

    First, thanks for taking such swift action. That’s is markedly more proactive than many of the other
    smart tracker watch firms we’ve found security issues with.
    I have attached a full technical write up of the various vulnerabilities. This will make sense to your
    developers, however in essence:

    The back end service that interacts with the mobile app doesn’t correctly check that the person
    making the request is the person authorised to do so.

    Whilst the system has user accounts and requires users to log in, it doesn’t check that the person
    logged in is the correct person to access that child’s data

    As a result, all data from the watch is available to anyone.

    Whilst I don’t know the technical detail of your systems and backend, my suspicion is that the mobile
    app developers haven’t developed the app and backend securely enough. I could be completely
    wrong there though. There may be components in common with the Caref/Gator API, but I can’t be
    certain.

    I’m on GMT+1 currently.

    Regards

    Ken

    Ken Munro

    Pen Test Partners LLP

    Finally, we say to our customers and members of the public that any and all security issues 
    are being addressed and will be fixed as soon as possible. 

    We will be releasing a full and transparent report of all changes that we have made to the 
    software, based on the findings of the iStaySafe commissioned penetration test. 

    Kind regards, 

    Karen Cantwell, iStaySafe Pty Ltd

    You might also like