As the old saying goes, hindsight is better than foresight. Certainly, that is no less true than when involving children in the tech world. Sure, the Internet is chock-full of great information, fun games, great social opportunities, etc. But there are also hackers, scammers, and a number of other individuals looking to take advantage.
That’s what makes this situation understandable, while at the same time questionable. Thanks to a web backend and mobile app for a cheap children’s smartwatch, details for the kids, including their locations, were exposed. Parent account information was exposed as well.
SMA-WATCH-W2 Children’s Smartwatch
This China-made SMA-WATCH-W2 children’s smartwatch sells for just $35, which should have been the first clue that this may not be the best thing to put your trust in. Designed to work with a companion mobile app, parents register for an account, pair the smartwatch with their phone, and track their kids by following the location that shows up on the phone app.
Researchers with the AV-TEST IoT testing division found a lack of security measures protecting the backend of the smartwatch and the accompanying phone app. “The Chinese SMA-WATCH-M2 tops the security failures on other manufacturers by far,” explained Maik Morgenstern, CEO and technical director of AV-TEST. His team has been testing children’s smartwatches for more than two years.
While there are many children’s smartwatches, Morgenstern believes the SMA watch is one of the least secure products available. Anyone can access the backend of the smartwatch via a web API that is publicly accessible.
While there is an authentication token to prevent unauthorized access, attackers can use any token they want, as the server will never check the identity. An attacker can connect to the web API, go through all the user IDs, and collect data on the children and their parents.
When Morganstern’s team used this technique, they were able to identify more than 5,000 of the children wearing one of these smartwatches and more than 10,000 accounts of the parents. Most of the kids’ were located in Europe, but children in China, Hong Kong, and Mexico were located too. Along with locations, the watch also gave out the device type and SMI card IMEI.
But it gets even worse. The mobile app that parents install on their phones is not secure either. An attacker can install it on their own phone, change a user ID in the main configuration file, and have it pair with a child’s smartwatch without having to enter any email or password. Once paired, they can track kids on a map, call them, or start a voice chat with them. Then they can change the password and lock the parents out.
Smartwatch Still Available
It doesn’t even appear that this very vulnerable children’s device has this lack of security by accident, as they don’t seem to care. Morgenstern’s team contacted SMA to let them know what they found, yet the watch is still being sold on the company’s website and through other sellers.
Because of the vulnerabilities that can exist on smartwatches overall, and not just the the SMA watch, how old do you think children should be before they are allowed to wear a smartwatch? Tells us your thoughts in the comments below.