A salutary tale from Davey Winder…:
[…] In the case of the smart watch tracker, the security issue was with an unrestricted server-to-server application programming interface (API) that could enable a “TAKEPILLS” command at will by a hacker. My mother, whose memory span could be measured in minutes, would happily do so with each resulting reminder in such a nightmare scenario.
Of course, there is no evidence that anyone ever did exploit this vulnerability, and it was fixed within days of the security researchers reporting their findings to 3G Electronics. The fix was an easy one, involving restricting the server-to-server API access to specific IPs. Handling it from this end meant that the exploit window was closed even for those users who might not, or could not, update their devices.