For researchers at testing outfit AV-Test, the SMA M2 kids’ smartwatch is just the tip of an iceberg of terrible security.
On sale for around three years, superficially it’s not hard to understand why the model M2 might appeal to anxious parents or carers.
Costing only $32, it pairs with a smartphone so that adults can track the real-time location of kids via GPS, GSM or Wi-Fi using a simple mapping app and online account. Add a SIM and it can be used to make voice calls and there’s even an SOS button children can press in the event of an emergency.
The colour screen, cartoon icons, and baby-blue or pink colour scheme is almost guaranteed to appeal to younger children.
AV-Test’s investigations reveal that the M2 also happens to be an unmitigated security disaster.
Naked Security has covered numerous security screw-ups over the years but it’s hard to imagine a more face-palming charge sheet than that levelled at the makers of the M2 by AV-Test.
To illustrate the point, the testers use the example of a girl called Anna who lives in Dortmund, Germany.
She vacations with her grandparents in a coastal town called Norderney, where she regularly visits the local harbour around 2 o’clock to spot seals for an hour.
The company knows all of this because Anna is wearing an M2 smartwatch which has been leaking this information along with that of another 5,000 children via a public system whose security would be non-existent for any competent hacker.
AV-Test was able to find the names and addresses of these children, their age, images of what they looked like, as well as voice messages transmitted from the watch.
In a development that would be ironic if it weren’t so serious, they were able to discover children’s current locations. Warns AV-Test’s Maik Morgenstern:
We picked out Anna as much as we could have picked Ahmet from London or Pawel from Lublin in Poland.
The epic fail starts with the fact that communication with the online system is unencrypted and its authentication is weak.
Although an authentication token is generated and sent to requests to the Web API to prevent unauthorized access, this token is not checked on the server side and is therefore inoperative.
Perhaps worse, the smartphone app’s poorly secured web API makes it possible to borrow any user’s account ID and log into that account.
An attacker could not only track and contact a child but lock legitimate adults out of the account.
Remember, this is a device that is supposed to be a security tracker for carers that turns out to do the same job for anyone.
This is surely worse than no security trackers because at least using nothing wouldn’t lull its users into a false sense of security.
What to do
If you own one of these watches, our advice would be to stop using it immediately.
It’s not clear how many children might be wearing one – AV-Test detected users in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the UK, The Netherlands, and China – but it’s likely to be a lot more than the 5,000 the researchers identified.
The maker, SMA, has been told of the flaws while the product’s German distributor has removed it from sale.
The troubling part of this story is that AV-Test has been looking at this type of children’s smartwatch for some years, and this is only the latest and worst example in a sector that seems to have treated security as little more than a tick box – if it looks secure then it probably is.
Indeed, Naked Security has covered security problems with this class of device many times before. In 2017, Germany even reportedly banned the devices over spying worries. Then there’s this week’s case of the baby monitor hacked by a stranger.
Until IoT products like this can demonstrate better security, it’s wise to shop with great caution.