Researchers are warning parents that a children’s connected smartwatch has vulnerabilities that leak users’ personal and GPS data, and allow attackers to listen in on and manipulate conversations. Worse, the smartwatch in question, SMA M2, is currently used by 5,000 children worldwide.
Chinese manufacturer Shenzhen Smart Care Technology Ltd. (SMA) said that the SMA M2 smartwatch, which costs $35, helps parents track their children using a companion app that tracks the smartwatch’s GPS location and allows them to send messages or make phone calls.
However, researchers with AV-TEST in Germany said that they discovered personal information of smartwatch users, including real-time GPS position data sent by the children’s watch via the inserted SIM card, left unencrypted via a publicly accessible web API.
“The Chinese children’s watch is anything but a product for the protection of children, but on the contrary a real dange. It offers potential attackers the ability to identify the location of more than 5,000 children and access data from over 10,000 parent accounts,” said Maik Morgenstern, CTO at AV-TEST, in a post this week.
Other personal data is left unencrypted as well, including names of both children and their parents, children’s addresses and their ages. Also openly available are children’s smartwatch contacts – including potential relatives – and all voice messages transmitted.
Viewing personal data is one thing, but researchers also discovered a vulnerability that allows attackers to intercept and manipulate conversations, opening up other pernicious threats.
A configuration file in the complementary smartphone app directory – used by parents – can be used to connect to children’s smartwatches using their user IDs. However, it does not require any type of authentication.
Because the user IDs are also exposed unprotected on the publicly-accessible web API, an attacker could download the app and simply input a child’s user ID to connect with their phone – then send them messages and phone calls under the guise of their parent.
“Accordingly, the app belonging to the Chinese children’s watch also provides attackers with the opportunity to conveniently access any account and, like the legitimate user, to use the full functionality of the parent app, including position determination, voice messages, telephony and all other functions,” said Morgenstern.
Researchers said that they have contacted SMA regarding their findings – however, the manufacturer still continues to sell the watch via various distributors worldwide, and at last check the vulnerabilities were still present on the smartwatches across Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands and China (see map to left), they said.
Researchers did not mention whether SMA reacted to the vulnerability disclosure; Threatpost has also reached out to SMA. German distributor Pearl, in the meantime, has since taken the smartwatch off the market.
While IoT device security issues are nothing new, children’s connected smartwatches privacy problems are viewed as particularly insidious – and unfortunately, still widely prevalent.
In April, a popular smartwatch that allows parents to track their children’s whereabouts, TicTocTrack, was discovered to be riddled with security issues that could allow hackers to track and call children. In January, researchers found an array of security issues in the Gator portfolio of watches from TechSixtyFour, and found flaws exposing sensitive data of 35,000 children. In February, the European Commission issued a recall for the Safe-KID-One, an IoT watch made by German company Enox Group, due to “serious” privacy issues. And, in November, The Misafes “Kids Watcher” GPS watch was found to have vulnerabilities that translate into a stalker or pedophile’s ideal toolset.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.