Technology

Parents buy their children GPS-enabled smartwatches to keep track of them, but security flaws mean they&re not the only ones who can.

This year alone, researchers have found several vulnerabilities in a number of child-tracking smartwatches. But new findings out today show that nearly all were harboring a far greater, more damaging flaw in a common shared cloud platform used to power millions of cellular-enabled smartwatches.

The cloud platform is developed by Chinese white-label electronics maker Thinkrace, one of the largest manufacturers of location-tracking devices. The platform works as a backend system for Thinkrace-made devices, storing and retrieving locations and other device data. Not only does Thinkrace sell its own child-tracking watches to parents who want to keep tabs on their children, the electronics maker also sells its tracking devices to third-party businesses, which then repackage and relabel the devices with their own branding to be sold on to consumers.

All of the devices made or resold use the same cloud platform, guaranteeing that any white-label device made by Thinkrace and sold by one of its customers is vulnerable.

Ken Munro, founder of Pen Test Partners, shared the findings exclusively with TechCrunch. Their research found at least 47 million vulnerable devices.

&Itonly the tip of the iceberg,& he told TechCrunch.

Smartwatches leaking location data

Munro and his team found that Thinkrace made more than 360 devices, mostly watches and other trackers. Because of relabeling and reselling, many Thinkrace devices are branded differently

&Often the brand owner doesn&t even realize the devices they are selling are on a Thinkrace platform,& said Munro.

Each tracking device sold interacts with the cloud platform either directly or via an endpoint hosted on a web domain operated by the reseller. The researchers traced the commands all the way back to Thinkracecloud platform, which the researchers described as a common point of failure.

The researchers said that most of the commands that control the devices do not require authorization and the commands are well documented, allowing anyone with basic knowledge to gain access and track a device. And because there is no randomization of account numbers, the researchers found they could access devices in bulk simply by increasing each account number by one.

The flaws aren&t just putting children at risk, but also others who use the devices.

In one case, Thinkrace provided 10,000 smartwatches to athletes participating in the Special Olympics. But the vulnerabilities meant that every athlete could have their location monitored, the researchers said.

Child voice recordings found exposed

One device maker bought the rights to resell one of Thinkracesmartwatches. Like many other resellers, this brand owner allowed parents to track the whereabouts of their children and raise an alarm if they leave a geographical area set by the parent.

The researchers said they could track the location of any child wearing one of these watches by enumerating easy-to-guess account numbers.

The smartwatch also allows parents and children to talk to each other, just like a walkie-talkie. But the researchers found that the voice messages were recorded and stored in the insecure cloud, allowing anyone to download files.

Cloud flaws expose millions of child-tracking smartwatches

A recording of a childvoice from a vulnerable server of a smartwatch reseller. (We&ve removed the audio to protect the childprivacy.)

TechCrunch listened to several recordings picked at random and could hear children talking to their parents through the app.

The researchers likened the findings to CloudPets, an internet-connected teddy bear-like toy, which, in 2017, left their cloud servers unprotected, exposing two million child voice recordings.

Some five million children and parents use the smartwatch sold by the reseller.

Disclosure whack-a-mole

The researchers disclosed the vulnerabilities to several white-label electronics makers in 2015 and 2017,including Thinkrace.

Some of the resellers fixed their vulnerable endpoints. In some cases, the fixes put in place to protect vulnerable endpoints later became undone. But many companies simply ignored the warnings, prompting the researchers to go public with their findings.

Rick Tang, a spokesperson for Thinkrace, did not respond to a request for comment.

Munro said that while the vulnerabilities are not believed to have been widely exploited, device makers like Thinkrace &need to get better& at building more secure systems. Until then, Munro said owners should stop using these devices.

Many smart home device makers still won&t say if they give your data to the government

Details
Category: Technology

Write comment (93 Comments)

NASAmission to once again fly astronauts from US soil readies for key milestone with Friday launch

NASA and partners Boeing and the United Launch Alliance (ULA) are gearing up for a crucial milestone moment on Friday: The &Orbital Flight Test& (OFT) of the Boeing Starliner CST-100 Crew Capsule. The capsule, a spacecraft designed to carry astronauts on board from U.S. soil for the first time since the end of the Space Shuttle program, will be launched on an Atlas V rocket provided by ULA — without anyone on board this time, but in a mission that is one of the last key steps before astronauts take their first ride.

Whathappening

On Friday, pending weather and everything else cooperates, ULAAtlas V rocket will carry the Boeing Starliner CST-100 crew capsule to the International Space Station (ISS). This launch will be essentially a full run-through of the forthcoming Crew Flight Test (CFT), the first flight of the Boeing crewed spacecraft with actual astronauts on board.

While this is one key component before that CFT mission takes place, itnot the only one remaining: Starliner must still undergo three remaining reliability tests for its parachute system, on top of the data gained about this crucial component of the overall launcher, before the spacecraft is certified for regular service transporting astronauts to and from the ISS in a non-testing capacity.

During the mission, the Starliner will ascend atop the Atlas V rocket to a height of 98 nautical miles, at which point it&ll separate from the rocket and continue under its own power for the remainder of the trip to orbit, where it&ll rendezvous with the ISS for docking. Astronauts on board the ISS will assist with docking using the stationrobotic arm, and then unload around 600 lbs of equipment and supplies thatbeing carried aboard the crew capsule as a secondary mission, before the capsule undocks and returns to Earth.

When and where itgoing down

The launch is scheduled for Friday morning, December 20th at 6:36 AM EST (3:36 AM PST). It&ll launch from Space Launch Complex 41 (SLC-41) at Cape Canaveral Air Force Station in Florida. Weather conditions are looking 80% favorable based on current forecasts, which means that as it stands, therea good chance weather will be within acceptable limits for take-off.

The launch window is instantaneous, meaning that it only opens for that specific time and if anything prevents the launch from happening, there are backup dates potentially available — December 21 and 23, as well as options on either Christmas Day or a few days following. After launch, the Starliner will dock with the station on the morning of December 21, and then spend around a week at the ISS, before undocking on December 28 for its return trip. The journey back is as important as the trip to the ISS in terms of proving out the spacecraftproper functioning.

What happens after that

Should everything go to plan, BoeingStarliner CST-100 will be much closer to its ultimate goal of transporting people to space. As mentioned above, the parachute system still requires some additional testing for certification purposes, but the crewed CFT test launch should happen sometime in &early 2020,& according to Boeing, provided everything meets their strict requirements in terms of safety and other readiness standards.

On Wednesday, ULA rolled out its mobile launch platform and the Atlas V rocket to the launchpad in preparation for Fridaymission. The teams will now conduct pre-launch preparations leading up to Friday, a process it already conducted two weeks ago in dress rehearsal mode covering everything right up to the actual ignition.

We&ll have live coverage of the launch right here on TechCrunch as it happens, and a summary of how the launch went immediately following, so check back Friday for updates.

Details
Category: Technology

Write comment (96 Comments)

Of all the startup jawns that could possibly come from Philadelphia, perhaps none is as unexpected as Jenzy, the startup that provides an online marketplace and virtual sizing tool for kids& shoes.

The company, which has raised $1.25 million from Morgan StanleyMulticultural Innovation Lab, was born of desperation and grew up on two continents.

Co-founders Eve Ackerley and Carolyn Horner met five years ago in China while working as English language teachers in the remote corners of Yunnan province. Without much in the way of retail options, the two women resorted to doing much of their shopping online… and it was while searching for shoes that they realized one of the major pain points of the online retail experience was finding the right size.

PhiladelphiaJenzy has a tool to size kids& feet and a marketplace to buy them the right shoes

Jenzy founders Carolyn Horner and Eve Ackerley

When they returned to the U.S. the idea stuck with them. So they set out to develop an application that would be able to size feet using nothing more than a smartphone, and worked with vendors to ensure that women could know their sizes and buy the right shoes.

As the idea evolved, the two first-time entrepreneurs realized that however annoying the buying process was for adults, the need for appropriately sized shoes and a marketplace to buy them was even more acute among children.

&The most proprietary part of what we do is standardize all the shoes on our platform,& says Horner.

The company works with brands like Converse, Saucony and Keds to send kids shoes that actually fit their feet. &A kid could be wearing a six in one shoe and a seven in another,& says Horner. Using Jenzy, the shoes will arrive in the right size for each foot. &We work with the suppliers to make sure that we&re sending the correct size to a parent when they check out on Jenzy.&

For retailers, itan opportunity to reduce what amounts to a huge cost. The industry average rate for returns is 30%, and Horner says that Jenzy reduces that figure to 15%. And those savings matter in whatan $11 billion industry, according to Hornerestimates.

The company launched the first version of its app in July 2017 and just released an update earlier this year. To date, Horner estimates the company has sized 25,000 feet and had 15,000 downloads since May.

&The plan was to see about if we still were interested when we got back from China,& Horner says of the companyearly days.

Initially, the two partners worked out of Ackerleyparents& house in California, but eventually moved to Philadelphia when the company pivoted to focus on childrenshoes to be close to their beta testers — Hornerfamily, who had a lot of kids.

Details
Category: Technology

Write comment (96 Comments)

Four months after the news broke that veteran VCs Theresia Gouw and Jennifer Fonstad were going separate ways after forming their own venture firm in 2014, Gouw says her new firm, Acrew Capital, has closed its debut fund with an impressive $250 million in capital commitments.

The firm, with offices in both San Francisco and Palo Alto, was originally targeting between $175 million and $200 million, says Gouw, adding that many of the investors — including Melinda Gates — are the same who participated in Aspect Ventures, the outfit that Gouw and Fonstad will eventually wind down. (They&re currently investing in follow-on rounds in the startups that Aspect had backed with its two funds: a $150 million vehicle, followed by a $200 million fund.)

Certainly, Acrewlimited partners know the young firminvesting team. Gouw launched Acrew with Lauren Kolodny, Mark Kraynak, Vishal Lugani and Asad Khaliq, all of whom worked previously at Aspect and all of whom are partners, except for Khaliq, who joined Aspect in 2016 and remains a principal for now. Indeed, on a call earlier this week, Gouw emphasized the collaborative nature of Acrew, stressing that she sees her team as co-founders, and sharing that any two partners can push a deal through, while it takes just one partner to nix something.

&Team is at the center of everything we do,& said Gouw, who has been named to the Forbes Midas List eight times in her investing career, much of it spent with Accel Partners. &VC is best practiced as as team sport, and every win is going to be a team win.&

If you&re curious, not everyone is on equal financial footing just yet, but Gouw suggests that Acrewfounding team has more transparency than do many other partnerships into how the economics breaks down — and that the goal is for everyone to receive the same share of returns over time, and likely sooner than later. She said the firm launched very intentionally with a &multigenerational founding team& — which is rare in the venture business — not just because of the &business advantages it [confers] now& but also because it &positions us well through many funds and many cycles.&

So far, Acrew has made six investments, including in the digital bank Chime, which just last week closed on $500 million in fresh funding at a $5.8 billion valuation. The startup, which was valued at $1.5 billion as of March, is also a portfolio company of Aspect Ventures. (Gouw credits Kolodny with leading the companySeries A round.)

Other Acrew investments include Klar, a challenger bank akin to Chime in Mexico City that closed on $57.5 million in debt and equity funding in September, and Augtera Networks, a startup that helps large enterprises automate their network operations and which announced $4 million in funding just last week, led by Bain Capital Ventures.

Generally, says Gouw, the firm will be looking to invest in half a dozen areas, including cybersecurity, where Gouw is widely considered expert; financial services; the future of work; and interconnected data.

As an example of the latter, Gouw points to PredictHQ, a New Zealand-based startup whose Series A round was led by Aspect last year; it helps companies like ride-share outfits better predict when therelikely to be a spike in demand for their services.

In terms of the checks Acrew will be writing, Gouw says that Acrew will participate in seed rounds, investing as little as $1 million or less. It will also lead Series A rounds, writing initial checks of between $4 million and $7 million, as needed. It needn&t always be the lead investor in a round, however. &If because of the size of their fund, another firm needs to write an $8 million check, we can write a check for $1 million to $2 million& to fill out the round.

As for what happened at Aspect, Fonstad — who is separately raising a debut fund for her own new firm, Owl Capital — told the WSJ back in September that she and Gouw &saw very much eye to eye in terms of our investments and strategy. But we had very different leadership styles and different ways of operating at the portfolio level.&

Asked at a recent TechCrunch Disrupt event what Fonstad meant, Gouw declined to flesh out their differences, saying she would speak instead to how she operates. &I have four co-founders in Acrew Capital, so therefive of us, and we operate as a team, and we all have equal say in investment decisions, and thatmy management style.&

You can check out more of that conversation below.

Details
Category: Technology

Write comment (92 Comments)

Herea Mickey Mouse version of AmazonEcho Wall Clock

Amazonoriginal Echo Wall Clock was mostly fine. Some consumers ran into connectivity issues with the device, but it was mostly okay. Itone of the most passive members of the Echo family of devices, mostly doing its wall clock thing, until you need a time set.

The latest addition to the line has something its predecessor lacked, however: a giant Mickey Mouse. From the looks of it, things are mostly exactly the same here, with the important addition of a large, smiling rodent whose little mouse arms point out the hours and minutes.

Echo Wall Clock review

Therethe standard 60 LED ring that serves both to designate minutes and lights up for timer countdowns. The clock pairs with Echo devices, responding to voice commands and automatically adjusting for daylight savings time. Also these handy features:

  • Echo Wall Clock & Disney Mickey Mouse Edition helps you stay organized and on time.

  • Easy-to-read analog clock with iconic design cover shows the time of day.

Which is to say, ita clock. Which is also to say that, even when itbroken, itright twice a day. How many gadgets can say that? The Echo Wall Clock & Disney Mickey Mouse Edition is available now for those who still somehow have more room in their life for Disney, and should get to you before Christmas if you order now. It runs $50 — $20 more than the standard edition.

Details
Category: Technology

Write comment (98 Comments)

The U.K.competition regulator has raised concerns about the market power of digital ad platform giants Google and Facebook in an interim report published today, opening up a consultation on a range of potential inventions — from breaking up platform giants to limiting their ability to set self-serving defaults and enforcing data sharing and/or feature interoperability to help rivals compete.

Breaking up Google by forcing it to separate its ad server arm from the rest of the business is one of a number of possible interventions iteyeing, along with enforcing choice screens for search engines and browsers that use non-monetary criteria to allocate slots — versus Googleplan for a pay-to-play offering for EU Android users (which rivals argue does not offer relief for the antitrust abuse the European Commission sanctioned last year).

The U.K. regulator is also considering whether to require Facebook to interoperate specific features of its current network so they can be accessed by competitors — as a fix for what it describes as &strong network effects& which work against &new entrant and challenger social media platforms.&

The Competition and Markets Authority (CMA) launched the market study in July — a couple of weeks after the U.K.data watchdog published its own damning report setting out major privacy and other concerns around programmatic advertising.

It is due to issue a final report next summer — which will set out conclusions and recommendations for interventions — and is now consulting on suggestions in its interim report, inviting contributions before February 12.

Since beginning the study, the CMA says it has received several requests to open a full-blown market investigation, which means it has a statutory duty to consult on making such a reference.

Based on initial findings from the study, it says there are &reasonable grounds& for suspecting serious impediments to competition in the online platforms and digital advertising market.

The report specifically flags three areas where it suspects harm — namely:

  • the open display advertising market — with a focus on &the conflicts of interest Google faces at several parts of its vertically integrated chain of intermediaries&;
  • general search and search advertising — with a focus on &Googlemarket power and the barriers to expansion faced by rival search engines&;
  • social media and display advertising — with a focus on &Facebookmarket power and the lack of interoperability between Facebook and rival services&;

Other concerns raised in the report include problems flowing from a lack of transparency in the digital advertising market; and the difficulty or lack of choice for consumers to opt out of behavioral advertising.

However, the regulator is not making a market investigation reference at this stage — a step which would open access to the order making powers which could be used to enforce the sorts of interventions discussed in the report. Instead, the CMA says it favors making recommendations to government to feed into a planned &comprehensive regulatory framework& to govern the behaviour of online platforms.

Earlier this year the U.K. government set out a wide-ranging proposal to regulate a range of online harms. Although it remains to be seen how much of that program prime minister Boris Johnsonnewly elected Conservative government will now push ahead with.

&Although it is a finely balanced judgement, we remain of the view that a comprehensive suite of recommendations to government is currently the best way forward and are therefore consulting on not making a market investigation reference at this stage,& the CMA writes, saying it feels it has further investigation work to do and also does not wish to &cut across& the governmentplans around regulating platforms.

&The concerns we have identified regarding online platforms such as Google and Facebook are a truly global antitrust challenge facing governments and regulators. Therefore, in relation to some of the potential interventions we may consider in a market investigation, and in particular any significant structural remedies such as those involving ownership separation, we need to be pragmatic about what changes could efficiently be pursued unilaterally by the UK,& it adds, saying it will &continue to work as closely as we can with our international counterparts to develop a coordinated position on these issues in the second half of the study.&

Antitrust regulators in a number of countries have been turning their attention to platform giants in recent years — including Australia and the U.S.

The new European Commission has also talked tough on platform power, suggesting it will further dial up scrutiny of tech giants and seek to accelerate its own interventions where it finds competitive harms.

Responding to the CMA report in a statement, Ronan Harris, VP, Google U.K. and Ireland, told us:

The digital advertising industry helps British businesses of all sizes find customers in the UK and across the world, and supports the websites that people know and love with revenue and reach. We&ve built easy-to-use controls that enable people to manage their data in Googleservices — such as the ability to turn off personalised advertising and to automatically delete their search history. We&ll continue to work constructively with the CMA and the government on these important areas so that everyone can make the most of the web.

A Facebook spokesperson also sent us this statement:

We are fully committed to engaging in the consultation process around the CMApreliminary report, and continuing to deliver the benefits of technology and relevant advertising to the millions of people and small businesses in the UK who use our services.

We agree with the CMA that people should have control over their data and transparency around how it is used. In fact, for every ad we show, we give people the option to find out why they are seeing that ad and an option to turn off ads from that advertiser entirely. We also provide industry-leading tools to help people control their data, like &Off Facebook Activity&, and to transfer it to other services through our Data Transfer tools. We look forward to further engagement with the CMA on these topics.

Details
Category: Technology

Write comment (91 Comments)
  1. Google cops epic Aussie tax bill following government audit
  2. Huawei's updated Mate Xs foldable will debut at MWC 2020
  3. 10 last-minute Aussie Christmas gift ideas
  4. IPVanish parent company adds VPN feature to Speedtest app
  5. AWS denies claims it steals features from open source software