Hackers can track, spoof locations and listen in on kids' smartwatches
Norwegian project exposes worrying lack of security
Tests on smartwatches for children by security firm Mnemonic and the Norwegian Consumer Council have revealed them to be riddled with flaws.
The Oslo-based company teamed up with the trading standards body to investigate several smartwatches aimed at kids, specifically the Xplora (and associated mobile application Xplora T1), Viksfjord (and mobile app SeTracker) and the Gator 2 (mobile app Gator).
The project found "significant security flaws, unreliable safety features and a lack of consumer protection".
Strangers can easily seize control of the watches and use them to track and eavesdrop on children due to a lack of encryption and other failings.
The SOS function in the Gator watch, and the whitelisted phone numbers function in the Viksfjord, are particularly poorly implemented. The alerts transmitted when the child leaves a permitted area are also unreliable. Some of the apps associated with the watches lack terms and conditions. Tests showed it wasn't possible to delete data or user accounts.
After surreptitiously pairing their phone or tablet with the Gator watch, an attacker can remotely access the location of the watch and its location history. They can also edit and remove "geofenced" areas and even send voice messages to the watch itself, according to the research.
The Xplora watch exhibited less severe vulnerabilities. During testing, the consumer council inadvertently accessed sensitive personal data belonging to other Xplora users, including location, names, and phone numbers.
The consumer council is referring (PDF) the manufacturers to the Norwegian Data Protection Authority and the Consumer Ombudsman for breaches of the Norwegian Personal Data Act and the Marketing Control Act. These are based on EU law so the makers of the kit may have violated EU regulations. The watches are available in multiple EU member states.
"It's very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly," said Finn Myrstad, director of digital policy at the Norwegian Consumer Council.
"Importers and retailers must know what they stock and sell. These watches have no place on a shop's shelf, let alone on a child's wrist."
Mobile developer Roy Solberg also looked at the Gator 2 smartwatch and blasted the kit for its absent security and as a child-tracking risk. He reported his findings in August to the manufacturer but has received no response to date. The publication of the larger study prompted him to go public with his findings.
The Gator watch, distributed in the UK by Techsixtyfour, was previously sold at John Lewis, but consumer advice firm Which? said that after it contacted the retailer the item was pulled from its website.
The Norwegian Consumer Council tested Viksfjord, a Norwegian version. A similar watch also in the SeTracker family is available in the UK, branded as Witmoving and sold on Amazon.
Mnemonic researchers were able to reliably generate the registration code SeTracker requires for pairing, enabling full pairing with the watch and access to its functionality. SeTracker was vulnerable to location spoofing. In addition, Mnemonic was able to develop a voice call hack, involving an attacker instructing the watch to call back to a specified number.
The warnings about children's smartwatches add to the growing list of IoT security woes. Tony Rowan, chief security consultant at SentinelOne, commented: "It's clear to me that we need security standards to be developed and applied to all devices that are going to be connected to any kind of network. Perhaps something along the lines of the CE or kite marking but related to security aspects of the design." ®