EU orders recall of children's smartwatch over severe privacy concerns

EU warns that ENOX Safe-KID-One smartwatches contain several security flaws that let third-parties track and call children's watches.
Written by Catalin Cimpanu, Contributor
Image: European Commission

For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue.

The product is Safe-KID-One, a children's smartwatch produced by German electronics vendor ENOX.

Also: Online security 101: Tips for protecting your privacy

According to the company's website, the watch comes with a trove of features, such as a built-in GPS tracker, built-in microphone and speaker, a calling and SMS text function, and a companion Android mobile app that parents can use to keep track and contact their children.

The product is what most parents regularly look in a modern smartwatch but in a RAPEX (Rapid Alert System for Non-Food Products) alert published last week and spotted by Dutch news site Tweakers, European authorities ordered a mass recall of all smartwatches from end users citing severe privacy lapses.

"The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data," said authorities in the RAPEX alert. "As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed."

On top of this, authorities also said that "a malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

All of these were seen as huge privacy issues by Icelandic consumer protection authorities, which asked EU authorities for the product's recall.

Must read

Additional issues were also highlighted on social media by Christian Bernieri, an Italian data protection expert, after the recall's announcement.

Bernieri pointed out that ENOX doesn't even appear to be in control of the Android app that ships alongside with its smartwatches, the app being owned by a Chinese developer who used the app's privacy policy URL to link to their own LinkedIn profile instead, showing little regard for EU's privacy regulation.

While ENOX is the first children's smartwatch vendor to have its products recalled on the EU market, more are bound to follow. Other smartwatches are most likely to exhibit similar privacy and security holes.

Some of these are listed in an October 2017 report from the European Consumer Organisation (BEUC). Back then, BEUC issued a public service announcement on the security and privacy concerns surrounding several children's smartwatch models, warning that most products are rife with security flaws and that they should not be in stores, to begin with.

A month later, in November 2017, Germany's Federal Network Agency (Bundesnetzagentur), the country's telecommunications agency, followed the warning and banned the sale of children's smartwatches after it classified such devices as "prohibited listening devices."

How to discover and destroy spyware on your smartphone (in pictures)

More security coverage:

Editorial standards