Kid Tracking 'Smart' Watches, Like Most IOT Devices, Prove Not So Smart, Easy To Hack

from the internet-of-broken-things dept

We’ve long noted how the painful lack of security and privacy standards in the internet of (quite broken) things is also a problem in the world of connected toys. Like IOT vendors, toy makers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we’ve seen repeated instances where your kids’ conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

When this problem is studied, time and time again we’re shown how most modern, internet-connected toys can be fairly easily hacked and weaponized. Granted since we haven’t even gotten more pressing security and privacy problems tackled (like the vulnerability of our critical infrastructure), problems like Barbie’s need for a better firewall tend to fall by the wayside.

Another recent case in point: A location-tracking smartwatch worn by thousands of children has proven… you guessed it… rather trivial to hack. The MiSafes Kid’s Watcher Plus is a “smart watch for kids” that embeds a 2G cellular radio and GPS technology, purportedly to let concerned helicopter parents track their kids’ location at all times. But security researchers at UK’s Pen Test Partners have issued a report calling the devices comically unsecure. As with many IOT devices, the researchers found that the devices and systems they rely on did not encrypt any of the data being transmitted:

“I proxied the iOS app through Burp and could see that the traffic was not encrypted. Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children. Profile pictures, names, gender, date of birth, height, and weight all transmitted across the internet in cleartext.”

The researchers were quick to note that the only check the system’s API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, allows an attacker to return the watch location and device_id associated with that family. Since the watch updates the GPS coordinates to the API every five minutes, it provides a hacker near real-time insight into your kid’s location. Worse, spoofing a caller ID would let said theoretical attacker covertly listen in on your kids, or contact them… while pretending to be you:

“The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used to spoof the Caller ID to a test watch.

Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch. As shown below, the child would think that it was their Dad that was calling. Would a child do what they were asked if a call came in like this?

Yeah, that’s not creepy at all.

Of course like so many IOT devices, MiSafes’ child-tracking smartwatches, which have been on the market in since 2015, are made by a Chinese company that had no interest responding to inquiries by security researchers. And being sold at around £9 ($11.50) per pop, there’s certainly no incentive for its makers to suddenly start dramatically improving their security and privacy standards. It’s another reason why efforts to standardize the inclusion of security and privacy problems in product reviews is something we all need to get behind, since it’s abundantly clear legislation and regulation alone can’t really address the problem.

Filed Under: , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Kid Tracking 'Smart' Watches, Like Most IOT Devices, Prove Not So Smart, Easy To Hack”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

How easy is it to disable the speaker to avoid inadvertently alerting anyone to it’s presence?

From the report: The call was automatically answered, the watch briefly displayed a “Busy” message, then the screen went blank. The watch did not ring, so no one would know who was listening in or from where.

Reminds me of how pentesters have called elevator emergency phones to spy on "private" conversations. (Many will silently auto-answer.)

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...