Need to know
- Our personal alarms test unearthed a disturbing lack of protection for your personal data
- Many of the devices come with easy-to-hack default user IDs and passwords and don't prompt you to change them
- The tracking apps on many of the devices are especially worrying, with default passwords that are often a highly hackable 123456
A personal alarm can literally be a life-saver, especially for older people or those with a disability. If you have an accident, you press a button and help should be on the way.
It's a serious piece of technology, so you'd think the manufacturers and resellers would be safety-minded across the board. But many fall short when it comes to the safety of the personal information you surrender when you set these devices up – including your name, address, date of birth and driver's licence number.
Some manufacturers and resellers make little effort to protect this vital data, which can be used by fraudsters to steal your identity. No one wants their details ending up on a company server that's as hackable as the device itself.
As Australia's population ages, the uptake of personal alarms is bound to rise
But, as our testers discovered, many of these devices are a personal data breach waiting to happen. And as Australia's population ages, the uptake of personal alarms is bound to rise. This is just one of the reasons we no longer recommend any of the personal alarms we test.
What's the security issue?
Many of the products come with a readymade user ID and password, and no prompts to change them.
Is is especially worrisome if an app related to tracking is involved. In 2018 the MyFitnessPal breach affected up to 150 million users. It was reported earlier this year that the credentials of some of those affected have surfaced on the so-called 'dark web'.
Personal data security is not a priority for many retailers of personal alarms.
The personal alarm watch from mindme.com.au comes with credentials for a tracking app called FangZouDiu (which, roughly translated, is Mandarin for "prevent getting lost").
The default user name for the app is an email account at 163.com, a mainland Chinese web service and multimedia provider. The default password is 123456.
"Who knows what the apps are mining and sending to offshore servers?" says CHOICE tester Scott O'Keefe.
And many sellers of personal alarms offer to set the product up for you, which entails activating a SIM card on your behalf.
Who knows what the apps are mining and sending to offshore servers?CHOICE Tester Scott O'Keefe
One of our buyers activated a number of devices using this method and found that manufacturers paid very little attention to protecting personal information.
Over the phone, businesses told our buyer they needed details such as a driver's licence number and date of birth, but wouldn't keep it – this verbal assurance appeared to be the extent of their security policy.
CHOICE tech expert Steve Duncombe says consumers have reason to be concerned.
"Once you put your personal information out there via these companies' websites, it can end up anywhere," he says. "People scream about our own government collecting this type of data, yet they willingly, or unknowingly, give it away to foreign-based websites controlled by who knows who."
A hacker going after individual personal alarms data is one concern, says Duncombe, but the bigger worry is hackers gaining access to insecure company servers that hold the personal alarm data of many consumers.
All made in the same factory?
Our testers suspect that many of these devices are generic models made by the same overseas manufacturer, probably in China.
It's roughly $20 worth of technology, which is branded locally and sold for up to $400 by Australian retailers.
Many of the products we tested from different Australian retailers were, based on appearance, the same device from the same manufacturer. Others had the same easily hacked default passwords, meaning that anyone who had an interest in tracking people could do so.
Another problem is that some of the devices that use SMS can be controlled remotely by someone sending them simple SMS commands.
UK cyber security and penetration testing service, Fidus, pictures a device on its website that appears to be the same device pictured on livelifealarms.com.au, which we tested. Fidus warns that such devices are available in Australia and raises the concern that these bulk-made, rebranded and resold devices are vulnerable to exploitation.
The default password for the tracking app in some devices is 123456, showing disregard for the security of your personal details.
The webpage FAQ for this device says "the devices are set up and shipped from Melbourne, not offshore!" but offers no other information as to why this is a selling point. (However, the retailer does commit to having security measures in place to secure your personal data and payment details.)
Another prominent cyber security firm, Avast, revealed in early September that the issue seems to be widespread across the industry.
Avast reported that 29 models of a child-tracking device made by the same Chinese manufacturer, Shenzhen i365 Tech, had "serious" security vulnerabilities that could allow access to users' personal information. These vulnerabilities include 123456 default passwords.
Once you put your personal information out there via these companies' websites, it can end up anywhereCHOICE tech expert Steve Duncombe
Poor design in the trackers also allows third parties to fake a user's location and access the microphone to listen in on users' surroundings. The setup process instructs users to download apps from an insecure HTTP (as opposed to a secure HTTPS) website.
As with the personal alarms we tested, the devices, which are sold under a variety of brand names, could easily be hijacked by third parties for a variety of nefarious purposes, according to Avast.
Avast also suggests that these issues are not limited to one vendor and estimates that there are 50 different apps sharing the same platform that could potentially have the same vulnerabilities. It strongly advises that anyone using these types of device stop using them.
Information commissioner weighs in
We shared some of our findings with the Office of the Australian Information Commissioner (OAIC), whose portfolio includes data privacy.
"We expect organisations which handle personal information to act responsibly, in line with the Privacy Act, including making it clear to individuals how their information will be used," a spokesperson told us.
They added that, under the Privacy Act, organisations "should only collect personal information that is reasonably necessary and is obliged to take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure".
We expect organisations which handle personal information to act responsibly, in line with the Privacy ActOffice of the Australian Information Commissioner
"We advise consumers to exercise care when providing personal information online and to use strong unique passwords or pass-phrases – rather than reusing the same password across critical services such as banking and social media sites, or sharing passwords for a critical service with a non-critical service.
"If someone believes their personal information is not being handled in accordance with the Australian Privacy Principles they can make a complaint to our office and we can investigate."
OAIC has the power to intervene and issue penalties to businesses that don't comply.
It's sound advice, although, according to Avast's research, some personal tracker devices can be hacked through the device number or phone number on the SIM alone, so strong passwords wouldn't help.
How to secure your personal alarm data
● Use your own SIM card if possible. It's worth noting that when we wanted to do this, we had to call the supplier to ask if it was possible. Having the seller arrange and activate the card for you may seem more convenient, but then they'll have more of your personal data.
● Get a personal alarm that doesn't use a smartphone app. But bear in mind that the alternatives that use a website also have vulnerabilities, and some simply refer you to Google maps. If no app is involved, this greatly lessens the risk that your personal data could end up somewhere with poor protection. It also lowers the risk that someone else could track the wearer.
● If you really want to use an app, make sure you check out the developer and any online reviews. But remember, positive reviews can be posted by people who are paid by the manufacturer to write them. Be careful not to give the app more phone permissions than it needs to function.
● The designs of many of these devices are inherently vulnerable to data breaches, so the steps above are no guarantee of security.
● Contact the company selling personal alarms and ask about their security protocols if you're not satisfied with the information on their website.
So what's the big deal?
Maybe you're not too worried about people with bad intentions gaining control of a personal alarm or similar device? Well, you should be – the consequences for your cyber security could be serious.
As our testers and tech experts have pointed out, it's a matter of protecting your personal data. If it's stored on an insecure server and falls into the wrong hands, it could be used for any number of purposes, including identity theft.
And as Avast's research reveals, shadowy third parties can take over such devices and use them to track the whereabouts of the user or manipulate the functionality of the device. This may not be an issue for some, but most people should avoid making themselves vulnerable in this way.