A cheap $35 kids' smartwatch made in China was caught exposing the personal details and location information for more than 5,000 children and their parents.
In a report published today by the Internet of Things testing division of AV-TEST, researchers said they found egregious security measures put in place to protect the backend and mobile app of the M2 smartwatch, made by Chinese company SMA.
"The Chinese SMA-WATCH-M2 tops the security failures of other manufacturers by far," said Maik Morgenstern, CEO and the Technical Director of AV-TEST, whose team has been testing kids smartwatches for more than two years.
The M2 smartwatch and its security flaws
The SMA W2 kids smartwatch has been around for years. It was designed to work with a companion mobile app. Parents would register an account on the SMA service, pair their child's smartwatch to their phone, and use the app to track the kid's location, make voice calls, or get notifications when the child would leave a designated area.
The concept is not new, as there are plenty of similar products on the market, varying in prices from $30 to $200-$300. However, Morgenstern suggests that SMA created one of the most insecure products on the market.
For starters, Morgenstern says anyone can query the smartwatch's backend via a publicly accessible web API. This is the same backend where the mobile app also connects to retrieve the data it shows on parents' phones.
Morgenstern says there's an authentication token in place that's supposedly there to prevent unauthorized access, but attackers can supply any token they like, as the server never verifies its validity.
An attacker can connect to this web API, cycle through all user IDs, and collect data on all kids and their parents.
Morgenstern says that using this technique, his team was able to identify more than 5,000 M2 smartwatch wearers and more than 10,000 parent accounts.
Most of the kids were located throughout Europe, in countries such as the Netherlands, Poland, Turkey, Germany, Spain, and Belgium, but the AV-TEST CEO says they've also found active smartwatches in China, Hong Kong, and Mexico.
The data exposed via this Web API included the child's current geographical location, device type, and SIM card IMEI.
Furthermore, a second vulnerability allowed access to even more creepy functions. Morgenstern says that the mobile app installed on parents' phones is also very insecure.
An attacker can install it on their own device, change a user ID in the app's main configuration file, and have their smartphone paired with a child's smartwatch without ever having to enter a parent account email address or password.
Once attackers have paired their smartphone to a child's smartwatch, they can use the app's features to track the kid via a map, or even place calls and start voice chats with children.
Even worse, the attacker can change the mobile account's password and lock the parent out from the app while they give a child wrong instructions.
Watch still on sale
Morgenstern says they've contacted SMA with their findings. He did not say how SMA reacted, but only mentioned that the watch is still being sold via the company's website and via other distributors [1, 2].
Morgenstern says that German distributor Pearl has taken the M2 of their shelves after their report.
SMA did not return a request for comment before this article's publication.
The AV-TEST CEO also contacted the Federal Office for Information Security (BSI), the country's cyber-security agency. In 2017, the BSI banned the sale of kids smartwatches in Germany if the watch came with a remote listening feature.
Earlier this year in February, the EU recalled two kids' smartwatch models because of similar security flaws that allowed attackers to contact and/or track children's locations.