After seeing this in a random shop for 50p I thought I’d get it and see how it works. The idea looks good.
Boy was i wrong…
The tag itself is nothing but a QR code that takes you to a website with the information you enter when activating it. No NFC, it looks like something made in the ’90s.
But that can’t be too bad, right?
Wrong!
After testing a tag with fake info i was shocked. The QR code only contains a URL with a 7-digit number in the URL.
Surely not? You all know where this is going.
What happens if I change that code? If you thought the personal and medical details for someone else. Well done you get a gold star.
So what sort of information do people upload to this thing?
A scary amount of data. Almost every tag I checked had a Name, Date of birth, address, and email address on it.
But wait for it… A large amount also had Medical info, Medication Doctor’s details.
So not the big question. Can we automate a download of all this data, Afterall all we need is a 7 digit number and from the one I bought I know my number. What if we download 100, 100, or even 100000 at a time.
You guessed it. Yes, we can. And even worse. The site has no limit or rate-limiting per IP address.
I’m not going to help anyone get the information but as simple as it is I’m not going to be able to stop anyone. For this reason, I’m not going to give the URL for the QR code.
Lets look at the data.
Each tag can have different data. Almost all have Names, addresses, and Email addresses but many have loads more info.
I’ll be blocking out identifiable info as this is a real person I randomly picked.
This person Gives us a Full street address (click it on the site for a google map).
Cell phone and work numbers.
Date of Birth
Gender, Height, Weight, Hair Colour, Eye colour, and Spoken Languages.
That alone is a scary about of information but keep reading.
Next up we have the Conditions section
This gives details of any medical conditions the person has listed.
After all this is sold as a Magic medical device.
This is the notes section.
A free area to give away any personal information you like that Dynotag didn’t think scammers would need.
Use this to tell everyone your deepest secrets.
The Contacts Section
This lets you share other people’s personal data. Likely without them even knowing.
And now we get to the ultra scary bit.
The Policies and Files area
The policy contains details of insurance etc including a pdf scan uploaded by the user.
The Files also have uploaded scans on this one even including a scan of the person’s Drivers Licence.
So what do we think
I think SuperAlertID.com By Dynotag has messed this up beyond any kind of excuse. They have created a public database of personal and medical data with the added bonus of copies of official government IDs that can be accessed by anyone.
Never before has identity theft been so easy. No more going through bins to look for copies of letters. Now all you need to do is enter a 7 digit number and with the help of a poor person that brought a SmartID with no idea of the lacking security, you have everything you need.
If you have one of them get your data deleted from the site RIGHT NOW. it may however be too late. With SuperAlertID being around since 2019 the time someone has had to mine the data has long passed.