The Norwegian Consumer Council and Mnemonic researchers are warning consumers about the dangers of poorly secured smartwatches marketed to children.
Safety and peace of mind are marketed to parents as the main selling points for these watches however, researchers found many of the advertised safety measures actually left children and their data vulnerable, according to the firm's #WatchOut: Analysis of smartwatches for children report.
Researchers examined the Gator 2, Tinitell, Viksfjord and Xplora watches and found the devices allowed unauthorized access, remote audio surveillance, location spoofing, SOS compromise as well as violations of both the Norwegian Marketing Control Act and the Personal Data Act.
The watches are equipped with features like cellular services, Wi-Fi, cameras and GPS all with the promise of helping parents stay in contact with their kids when they are apart.
In order to carry out the attacks, an attacker would only need to obtain a unique identifier or IMEI that is used for registration process to associate watch with new accounts which can easily be obtained without even having access to the devices, researchers said. Similar watches that weren't tested may also be vulnerable to the same vulnerabilities.
“Many of the devices seem to originate from and/or be produced in China, and are imported to different European markets through specialized websites run by startups or enterprising individuals, in addition to traditional retailers,” the report said. “Distributors in different countries rebranding the devices under different names further complicates the picture.”
Many of the vulnerabilities weren't technically difficult to exploit and were due to developers failing to implement standard best practices. The watches also used insecure data storage, sent personal information to servers in North America and East Asia, didn't allow the option for users to delete their own accounts, and had Illegal or non-existent terms and conditions.
In a worst case scenarios, attackers could take control of the watch and track, eavesdrop on and communicate with the child, give the impression child is somewhere else. An attacker could also exploit the vulnerabilities to see data from another user's device as well.
Researchers disclosed the findings to the Norwegian Data Protection Authority (DPA), Datatilsynet on Sept. 1, 2017 and after communications were established between DPA and the Norwegian product distributors on Sept. 13, 2017, researchers received word on Oct. 5 that the problems would be addressed before the release of the report.
Manufacturers have claimed some of the security flaws had been fixed however, researchers have yet to verify the claims. Researchers recommend users refrain from buying these devices until their features and security standards are satisfactory, and that they ask the seller for refunds while pointing out the features that don't work and the privacy breaches.