<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=192888919167017&amp;ev=PageView&amp;noscript=1">
Thursday, March 28, 2024
March 28, 2024

Linkedin Pinterest

Firm finds flaw in smartwatches that may let strangers track kids

By Andrew Martin, Bloomberg
Published: December 15, 2019, 6:03am

Security researchers discovered vulnerabilities in cheap smartwatches for children that make it possible for strangers to override parental controls and track kids.

Rapid7 Inc., a cybersecurity firm based in Boston, purchased three smartwatches on Amazon.com, costing from $20 to $35, according to Deral Heiland, research lead for IoT technology. He said the models — GreaSmart Children’s SmartWatch, Jsbaby Game Smart Watch and SmarTurtle Smart Watch for Kids — were picked randomly from dozens for sale on Amazon and marketed as appropriate for grade school children.

All three devices offer location tracking, messaging and chat features. They were manufactured in China and shared identical hardware and software. They had similar security issues, Rapid7 found.

The watches let authorized users view and change configuration details by texting the watch directly with certain commands. In practice, this didn’t work and “unlisted numbers could also interact with the watch,” Rapid7 said in a report.

This security issue could be fixed with a vendor-supplied firmware update, but “such an update is unlikely to materialize given that the providers of these devices are difficult to impossible to locate,” the cybersecurity firm added.

The watches have a default password of “123456,” but one of the watch’s manuals doesn’t mention the password, according to the researchers. Another mentioned the password in a blog but not in its printed material. The third doesn’t characterize the numbers as a password nor does it provide instructions on how to change it, according to the researchers.

“Given an unchanged default password and a lack of SMS filtering, it is possible for an attacker with knowledge of the smartwatch phone number to assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent),” Rapid7 said in its report.

An unauthorized user could shut off safety protocols a parent had set up on the watch, Heiland said.

Loading...