China-based company MiSafe is once again making headlines with its unsecured products after a pen tester found that its child tracking smartwatches were found to be highly insecure.
MiSafe previously made controversy after firm’s Mi-Cam baby monitors were found to be susceptible to unauthenticated access and hijacking of arbitrary baby monitors.
Pen Test Partners researchers Ken Munro and Alan Monie recently discovered the GPS enabled smartwatches were neither encrypted nor connected to secure allowing an attacker to easily access personal information registered to the account such as children’s photos, names, gender, date of birth, height, weight, and phone numbers.
The researchers also were able to remotely manipulate the device from afar to simulate attacks that could track a child’s movements and location, listen in to their activities, and even make spoof calls to the watches that appeared to come from the children’s parents.
The vulnerabilities were so bad researchers recommended parents discard the watches out of concern for the safety of their children.
The watches were first released in 2015 and use GPs and 2G technology to let parents monitor they children from a smartphone app. Researchers found that nearly 14,000 of the vulnerable smartwatches were still in use and have tried to contact MiSafe to no avail.
Paul Bischoff, privacy advocate with Comparitech.com, scolded the firm, saying there no excuse for failing to properly secure the devices.
“Why MiSafes failed so spectacularly in this regard is anyone's guess,” Bischoff said. “That being said, IoT device manufacturers have for some time lagged behind the rest of the tech industry when it comes to implementing security.”
Smartwatches targeting children have already been banned in some countries but Bischoff expressed the belief that there should also be some sort of legal consequences for the Chinese company that made and sold the poorly secured products. Furthermore, he also recommended parents dispose of the vulnerable devices.
“The fact that MiSafe's watches were manufactured in China and sold in the rest of the world without sufficient prior inspection or audit should be ringing alarm bells for lawmakers and regulators,” Bischoff said. “In an age when cyber espionage is a huge concern, we need to better vet the devices we allow to be sold, particularly if they were imported, and doubly so if they're designed for children.”
HackerOne IT engineer Aaron Zander noted IoT devices designed for children have suffered some of the worst security incidents in recent years.
“Until security is mandated or tied to higher prices we shouldn't expect it to be included,” Zander said. “So how do you purchase safe smart toys for your kids? You don’t. But if you must, don't go for the cheapest options and try to minimize capabilities like video, WiFi and Bluetooth.”
Zander added that, if you do have a device and it does have a security flaw, reach out to your government representatives, and write your regulating bodies as it is the only way it gets better.