I've seen larger firms that have come to own some software like this from buyouts and on the first analysis they'll find hundreds of shockingly easy exploits like RCE's in them.

Along with this I've seen the number of software vulns reported by closed source software is no where close to what they find and fix silently at a huge number of companies.

The easiest source of this is local network attacks, and it's not that unusual. In this case you could imagine a teacher at school who knows how to use Metasploit.

It doesn't seem like it has to be local network, though, the computer just has to receive the packet somehow. So for example if the watch loads a website or connects to some service on the internet (firmware updates, cloud sync, telemetry, whatever), an attacker could try to receive/intercepts/redirect that traffic and serve the payload through that channel.

You might need the watch has no certificate pinning or weak certificate validation if it's using TLS but IoT devices often skip TLS.

Let me know if I'm misunderstanding the quote.

> In this thesis, welldocumented grey-box ethical hacking is conducted of the network service and firmware attack surfaces of the children’s smartwatch myFirst Fone R1s.

Either vendor might see the flaw as low-severity. So what if someone can send packets? So what if someone already on the local network can hack the camera? But combine them and you're pwned.

In theory I should be able to take a modern browser/device over a completely compromised router and either be safe, or have my device tell me "holy shit, something is wrong".

The days of local trust should be long gone by now.

Attacker reachable, presumably? Like from a hacked cable modem or wifi router?

Or one of your other IoT / smart home devices / malware on your PC is doing local network reconnaissance? Connecting this device to a public wifi? Or just a bad neighbour who hijacks your SSID? This smells of "I'm secure because I'm behind a NAT" which conveniently ignores the couple dozen other paths an adversary could take.

> The watch had an insecure network service that anyone could access via the internet.

Why is that? Are the cellular carriers blocking access?

========

I can materialize that smell for you, you're indeed more secure because you're behind NAT. Admitting this does not necessarily entail:

- suggesting that it's a good security solution

- suggesting that it's a security solution to begin with

- suggesting that it somehow prevents all avenues of remote exploitation

What it does do is make these stories sound a lot less dramatic. Because no, John Diddler is not going to be able to just hop on and get into your child's smartwatch to spy on them from the comfort of their home on the other side of the world at a whim, unlike these headlines and articles suggest at a glance. Not through the documented exploitation methods alone anyways, unless my skim reading didn't do the paper justice.

Remaining remote exploitation avenues do include however:

- the vendor getting compromised, and through it the devices pulling in a malicious payload, making them compromised (I guess this kinda either did happen or was simulated in the paper, but this is indirect and kind of benign anyways; you implicitly trust the vendor every time you apply a software update since it's closed source)

- the vendor being a massive (criminal?) doofus and just straight up providing a public or semi-public proxy endpoint, with zero or negligent auth, through which you can on-demand enumerate and reach all the devices (this is primarily the avenue I was expecting, as there was a car manufacturer I believe who did exactly this)

- peer to peer networking shenanigans: not sure what's possible there, can't imagine there not being any skeletons in the closet, would have been excited to learn more

List not guaranteed complete. But this is the kinda stuff I'd be expecting when I see these headlines.

Yes, it's an exploit. It should be fixed. But the endless hyperventilating over fringe exploits mostly has the effect that people now ignore all security conversations.

Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of network address translation (NAT) used by Internet service providers (ISPs) in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end users. This essentially repeats the traditional customer-premises NAT function at the ISP level.

Having said that, NAT isn’t a firewall.

So I agree that the watch would likely be behind NAT (for IPv4), I just disagree with the statement that ISPs usually put their customers behind cgnat.