Blog: Vulnerability Advisory

A masterclass in responding to vulnerability disclosure: The Buddi app and tracker

Vangelis Stykas 29 Nov 2021

The Buddi tracker https://www.buddi.co.uk/ is used for tracking elderly and vulnerable people. It’s a GPS/GSM-based clip-on device that reports wearer position to an app via a platform. It means that the wearer can easily be found by their carer or the emergency services, should they become lost and unable to make their own way home. The device also features a panic button that automatically calls their carer and allows the wearer to speak to them.

The device is popular in the care market, allowing the wearer a greater degree of independence and the ability to live independently for longer. The business behind Buddi has recently listed successfully on the UK AIM stock market (AIM:BIG), reflecting significant growth in the tracking markets in both UK and US.

Having previously found numerous security flaws in other GPS tracking devices, I wanted to find out whether these devices had similar issues

TL;DR

  • We discovered two vulnerabilities:
    • To change where movement and panic alerts were sent
    • Potentially, to access other accounts
  • Disclosure was handled almost perfectly by Buddi, who fixed the issue within minutes of the report arriving
  • Other vendors should learn from this excellent response to vulnerability disclosure

We bought two trackers ourselves and proved the vulnerabilities by switching alerts meant for one tracker to come from the other.

1. Changing alert contact details

The Buddi portal did not correctly authorise that the user had access to the contact details, hence an attacker could manipulate the following request:

The wcid is the contact ID and the wID is the wearer’s ID. To accept the value it will need the correct combination of those two IDs. As both of them were incrementing integers a brute force attack would have been easy to script.

2. Accessing other accounts

The Buddi portal did not appear to correctly validate access to the ‘edit users’ endpoint.

This may have allowed an attacker to change all the details of any user. It could also have been used to change the email and the user level of any user, effectively taking over that account after a password reset.

Buddi reported that a higher level of authorisation may have prevented this, though it appeared that the attack was successful.

crcID is the caregiver’s ID which was an incrementing ID. A brute force attack that could change all users emails and password reset also appeared to be scriptable.

What happened

It’s not often that we get to praise the response of an organisation to a vulnerability disclosure, but Buddi has acted extremely well.

Here’s the timeline:

  • 28/9/21 16:15 email sent to Buddi support asking where we can send a detailed report to
  • 28/9/21 18:30 reply from customer services manager, acknowledging receipt of the initial, expressing concern and escalating internally. Asked for full details to be sent
  • 29/9/21 10:36 we sent full details. It transpires that the initial email was escalated to the CTO overnight
  • 29/9/21 12:00ish CTO calls my colleague Ken direct. The CTO is grateful and has already taken action

Here’s where it gets impressive

During the conversation, it became clear that vulnerability #1 (changing where alerts are sent) had already been fixed in the 90 minutes since the full report was sent.

However, Buddi felt that our second vulnerability (account hijack) wouldn’t have worked owing to a second level of authorisation that wouldn’t have been clear to us. We disagreed.

Instead of arguing the toss and closing down comms as so many IoT vendors have done with us, Buddi offered to put the old code back up in a non-live environment for us to play with, with full permission to test.

Yes, I suppose they could have rigged the environment had they wanted to. However, given how freely they acknowledged vulnerability #1, I see no reason why they would be motivated to do so.

This is a great example of engaging really constructively with security researchers. <90 minutes from disclosure to fix and a personal call straight from the top of a near-£1Bn market cap business.

We were impressed. Kudos to Buddi!