Hacking MiSafes’ smartwatches for kids is child’s play

MiSafes, the maker of surveillance devices meant to track kids, is back in the news. This time it’s due to the company’s smartwatches that researchers say are drop-dead simple to hack.
Pen Test Partners has found that attackers can easily eavesdrop on children’s conversations; track them; screw with the geofencing so that parents don’t receive notices when their children wander off; see kids’ names, genders, birthdays, heights and weights; see parents’ phone numbers; and see what phone number is assigned to the watch’s SIM card.
Pen Test Partners researchers Ken Munro and Alan Monie told the BBC that they got curious about the watches after a friend bought one for his son earlier this year.
The watches, in kid-happy kartoon kolors, use a GPS sensor to locate a wearer and a 2G mobile data connection to let parents see where their child is via a smartphone app. They allow one-press phone calls and feature an SOS feature that records a 10-second clip of your kid’s surroundings that’s sent to parents via text. It also sends the child’s exact location, with automatic updates every 60 seconds until the emergency is canceled.
The phones also let parents create “safe zones” and, if everything is working as intended, be alerted if their child leaves the area. Parents can also eavesdrop on kids at any time and initiate two-way calls.

Problem: Pen Test Partners found that none of this data is encrypted by the watches. Nor are children’s accounts secured. The researchers bought a bunch of MiSafes watches so they wouldn’t be illegally attacking anybody, and then they used Insecure Direct Object Reference (IDOR) attacks to pull the watch’s flimsy security apart. IDOR vulnerabilities are common – in fact, they’re a staple of the OWASP Top 10 (you’ll find them merged into the broader category of Broken Access Control from 2017). They are also easy to discover, and let an attacker get at data without authorization.
The BBC quoted Pen Test Partners’ Ken Munro:

It’s probably the simplest hack we have ever seen.

This is what they could do because of the IDOR vulnerabilities:

• Retrieve real-time GPS coordinates of the kids’ watches.
• Call the child on their watch.
• Create a covert one-way audio call, spying on the child.
• Send audio messages to the child on the watch, bypassing the approved caller list.
• Retrieve a photo of the child, plus their name, date of birth, gender, weight and height.

This sure ain’t the first time

Nothing surprising here: it’s just yet another Internet-of-Things (IoT) security SNAFU. You’d think that products designed and sold to be used by kids, and by parents to safeguard those kids, would have sterling security profiles. You’d be wrong.
In October 2017, the Norwegian Consumer Council (NCC) put out a report after looking at four smartwatch models for kids and finding that they were giving parents a false sense of security. Some features, such as the SOS panic button and the geofencing alerts to keep track of kids’ whereabouts, didn’t work reliably.
Most worrying of all, the NCC found that through simple steps, strangers could take control of the smartwatches. Given the lack of security in the devices, eavesdroppers could listen in on a child, talk to them behind their parent’s back, use the watch’s camera to take pictures, track the child’s movements, or give the impression that the child is somewhere other than where they really are.
The NCC’s acting director of digital services, Gro Mette Moen, told the BBC that the MiSafes watches appeared to be “even more problematic” than the other products it had flagged. They never should have hit the market at all, and people should stay away from them:

This is another example of unsecure products that should never have reached the market. Our advice is to refrain from buying these smartwatches until the sellers can prove that their features and security standards are satisfactory.

Unfortunately, nobody can get a response from a China-based company listed as the product’s supplier. That’s nothing new: it didn’t respond to its baby monitor security failings, either.
The privacy/surveillance-sensitive Germany spun on a dime following the NCC’s report: within a few weeks, the country banned the sale, distribution and possession of kids’ smartwatches, calling them illegal spying devices.
Destroy them, said the country’s telecom regulator, and make sure to hang on to the receipt showing that you did.
Then, in February 2018, news came that MiSafes’ Mi-Cam baby monitors were one of the seemingly endless list of baby-cams that left children or babies exposed to the danger of being eyeballed by prying eyes or chatted up by strangers roaming the internet.
SEC Consult, an Austrian cybersecurity company, had found multiple critical vulnerabilities that allowed for the hijacking of arbitrary video baby monitors. Simply modifying a single HTTP request would let an attacker eavesdrop on nurseries and talk to whoever’s near the baby monitor.
The baby monitors also had outdated firmware riddled with numerous publicly known vulnerabilities; root access protected by only four digits worth of credentials (and default credentials, at that); and a password-forget function that sent a six-digit validation key good for 30 minutes: plenty of time for a brute-force attack.
SEC Consult didn’t give away much detail about the vulnerabilities at the time, because it couldn’t figure out how to get through to the vendor to responsibly disclose them. When we first wrote up the news in February, the security firm had been trying to get in touch with MiSafes since December, without any luck.
The BBC says that Amazon used to sell the watches in the UK but hasn’t had any in stock for some time. I couldn’t find any on Amazon US, either. The BBC says it also found three listings for the watches on eBay earlier this week, but they’ve since been removed. eBay said it took down the watch listings due to its ban on selling equipment that could be used to spy on people’s activities without their knowledge.
If you come across any in the dusty corners of the internet, don’t strap them onto your kids. These things are scary, as is the distributor’s utter lack of response.