Kids’ smartwatches are designed to give peace of mind to parents, enabling them to keep an eye on their child’s location and ensure they stay safe.
However, an investigation by the Norwegian Consumer Council (NCC) of three such watches has revealed worrying security flaws and threats to a child’s privacy.
The NCC found that hackers could easily take control of the watches and use them to track a child’s location, eavesdrop on or communicate with them, or even trick the parents into thinking the watch was somewhere it was not.
Kids’ smartwatches usually have GPS and contain a Sim card, which transmits location data and other information over 2G. The parent downloads a companion app to their phone and they can then track the data, as well as access other features, such as setting a ‘geofenced’ safe area in which the child can play in, and get alerts if they move outside of that location.
The NCC asked a security firm, Mnemonic, to look at three watches that are also available in some form in the UK: the Gator, Xplora and SeTracker watches.
Mnemonic found that in just a few simple steps a stranger could seize control of the Gator and SeTracker watches, and then track, eavesdrop on and even communicate with the child.
More detail is available on each watch below.
The NCC has engaged with all three watch manufacturers with its findings. It has also shared the research with the Norwegian Data Protection Authority, who have in turn informed European data regulators.
Which? has also shared the report with the National Cyber Security Centre, the National Crime Agency, DCMS, BEIS and the ICO, all of which have an interest and role in tackling insecure devices as part of the Government’s Digital Charter, the Internet Safety Strategy and the forthcoming work technology security.
Responding to the research, Which? managing director of home products Alex Neill said: ‘Although these products are marketed at making children safer, parents will be shocked if they actually put them at risk because of shoddy security.
‘While there is no denying the huge benefits smart gadgets can bring to our daily lives, safety and security should be the absolute priority. If that can’t be guaranteed, then the products should not be sold.’
Gator 2 watch
The Gator watch, distributed in the UK by Techsixtyfour, has a combination of critical flaws in its account creation process that leaves it wide open to being compromised.
The NCC found that this attack does not require physical access to the watch and can be performed without the account owner knowing. Plus, the hacker would only need moderate technical knowledge.
After surreptitiously pairing their phone or tablet with the watch, the attacker can remotely access the current location of the watch and the location history. They can also edit and remove ‘geofenced’ areas and even send voice messages to the watch itself.
Using what is known as a ‘man-in-the-middle’ attack, a hacker can manipulate the Gator 2 to display false location data, effectively making the watch appear to be where it is not.
It is impossible to delete your information from the watch and therefore when someone opens a new account with it (say, if it was sold), they can see the previous user’s data. Techsixtyfour has since released the Gator 3 watch, but the NCC did not have time to fully test it for security flaws.
The Gator 2 watch was previously sold at John Lewis, but after we contacted the retailer it has since taken the item down from its website.
SeTracker is a family of watches under various individual brands that all use the same mobile app interface.
The NCC tested the Viksfjord, the version available in Norway, but a very similar watch is available in the UK, branded as Witmoving and sold on Amazon. The NCC is confident that most of its findings apply to all SeTracker family watches. Using a similar method as with the Gator 2, SeTracker watches have accounts that are vulnerable to being compromised.
SeTracker requires a registration code for pairing, but Mnemonic was able to reliably generate this code, enabling full pairing with the watch and access to its functionality. Just like the Gator, the SeTracker was vulnerable to location spoofing, plus Mnemonic was able to conduct a voice call hack, involving an attacker instructing the watch to call back to a specified number.
This effectively turns the device into a remote listening device, or alternately provides a means for an attacker to communicate directly with the child.
Findings for the Xplora watch weren’t as concerning in terms of vulnerabilities. However, while conducting the test, the NCC inadvertently accessed sensitive personal data belonging to other Xplora users, including location data, names, and phone numbers.
Due to the nature of this flaw, we can’t go into detail until it has been addressed by the company. Xplora has engaged with the NCC and wants to address the issue, but it is unclear whether this will be only for users in Norway.
Should you buy a kids’ smartwatch?
As we showed earlier in the year in our ‘hackable home’ investigation, any device, product or gadget that has a network element can theoretically be vulnerable to hackers. But that risk can increase exponentially if the manufacturer hasn’t paid attention to proper security.
This research is just a snapshot test of a handful of kids’ smartwatches, but it has exposed concerning vulnerabilities that should definitely not exist in a product used by children. We feel that any smartwatch, or indeed any other network-connected product, that doesn’t have adequate security against hackers and other online threats to your privacy, shouldn’t be on sale.
If you already have one of the watches on test here, we’d advise you to stop using it, turn it off and uninstall the app. If you’re looking to purchase a kids’ smartwatch in the future, it’s vital to do your research on both the watch and the manufacturer to ensure that proper security has been taken seriously.