Security researchers found that a cheap smartwatch made in China for children, called M2, was exposing the personal details and location information of more than 5K children and their parents. This is particularly timely with holiday shopping in full swing.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
The collection of personal data isn’t new nor is the exposure of such data. What makes this exposure interesting is the use of a public facing API to access the data. Gartner noted recently that public facing APIs will be the most frequently used threat vector by 2022 and this is a great example of the growing attraction to APIs. APIs are broadly used in modern applications, often change frequently, sometimes daily, and will continue to grow in their use throughout every major industry.
The other issue with APIs is the internal trust model companies use to allow communication between company owned components and internal data storage. Most companies today, trust the API user to access all approved data behind it. This type of implicit trust means that when an API is breached, so is the implicit trust to the sensitive data behind that API. Often times, companies even forego monitoring application and API data access because they assume that data access is secure and trusted, when in fact, this data is actually both sensitive and at risk through such vulnerabilities or misconfigurations.
For the personal consumer, it’s hard to know which company you can trust with your data. This isn’t any easier today than it was in recent years past. Consumers should demonstrate their need for data security through their purchasing decisions, and purchase from companies with effective track records of protecting personal consumer data.