Naked Security Naked Security

Kids’ smartwatches harbouring major security flaws

Norwegian Consumer Council says "these watches should be in no stores, even less so on a child's arm"

Has Santa Claus, the Tooth Fairy or the agnostic Birthday Gnome ever gifted your tot a smartwatch?

Toss it. All those wrist wraps are Internet-of-Things (IoT) security car wrecks, according to a new report (PDF) from the Norwegian Consumer Council (NCC).

The main point of smartwatches is to geolocate your offspring, but some models also allow parents to call or text their kids. After all, it’s cheaper than a full-fledged smartphone, and somewhat less likely to be buried in a sandbox.

Much like drone makers do to their aircraft, some parents also use the GPS-connected smartwatches to geofence their kids: some models send out an alert when a child leaves a designated area. Some smartwatches have an SOS feature that allows a kid to send an emergency message to a caregiver.

That’s great, except when it’s not. NCC researchers looked at four smartwatch models and found that they can give parents a false sense of security. Some features, such as the SOS and the geofencing alerts, didn’t work reliably.

And, most worrying of all, through simple steps, strangers can take control of the smartwatches. Given the lack of security in the devices, eavesdroppers can listen in on a child, talk to them behind their parent’s back, use the watch’s camera to take pictures, track the child’s movements, or give the impression that the child is somewhere other than where they really are.

Researchers found that several of the watches also transmit personal data to servers located in North America and East Asia, in some cases without using encryption. One of the watches also functions as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that eavesdropping is going on.

It not only challenges a child’s right to privacy, says Finn Myrstad, director of digital policy for the NCC – “It also threatens their safety,” he says.

Until these issues have been resolved, these watches should be in no stores, even less so on a child’s arm.

In one watch, knowing a user’s phone number “gives an attacker full access to the device,” the report found. In another watch, the researchers “inadvertently came across sensitive personal data belonging to other users, including location data, names and phone numbers.”

One of the watches allowed the researchers to pair an existing gadget with a completely new account, enabling them to see user data, including the watch’s current location and location history and contact phone numbers in the account, all without notifying the watch user.

CBS News quotes Myrstad:

This data can be abused for so many different things – finding out where kids have been means getting extremely sensitive data around where they live, where they go to school. It’s far, far away from any basic standard of security.

According to The Telegraph, the UK retailer John Lewis has already responded to the NCC’s report by withdrawing one of the smartwatch models – the Gator 2 – that the researchers analyzed.

They also tested Viksfjord and Xplora smartwatches. A fourth model, the Tinitell, lacked major security flaws, but it also lacked clear privacy protections, according to the report. According to CBS News, all of the watch models except for Xplora are on sale in the US.

So, another crop of IoT things is insecure. Quelle surprise.

Santa, Tooth Fairy, Agnostic Birthday Gnome, et al., I’m beginning to suspect one of two things:

  1. You’re all NSA agents. That would explain Hello, Barbie, the joke-telling, story-swapping, interactive game-playing, eavesdropping doll that spawned the Hell No Barbie campaign from privacy groups. It would also explain her Hell-spawn sister, My Friend Cayla, which was fitted with a camera and an artificial intelligence (AI) chip for interpreting children’s emotions… and which Germany’s privacy watchdog declared was an “illegal espionage apparatus” that parents should destroy. Given all that, you’re either creeps, government spies, or then again…
    2. You really need help with securing the IoT.

I suspect it’s No. 2. But you’re not alone: we all need help with securing the IoT.

Here are some security tips on how to get that done – ideally before Christmas!

Leave a Reply

Your email address will not be published. Required fields are marked *