For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue.
The product is Safe-KID-One, a children's smartwatch produced by German electronics vendor ENOX.
According to the company's website, the watch comes with a trove of features, such as a built-in GPS tracker, built-in microphone and speaker, a calling and SMS text function, and a companion Android mobile app that parents can use to keep track and contact their children.
The product is what most parents regularly look in a modern smartwatch but in a RAPEX (Rapid Alert System for Non-Food Products) alert published last week and spotted by Dutch news site Tweakers, European authorities ordered a mass recall of all smartwatches from end users citing severe privacy lapses.
"The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data," said authorities in the RAPEX alert. "As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed."
On top of this, authorities also said that "a malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."
All of these were seen as huge privacy issues by Icelandic consumer protection authorities, which asked EU authorities for the product's recall.
- 5 ways to enforce company security (TechRepublic)
- Data breaches can sucker-punch you. Prepare to fight back (CNET)
Additional issues were also highlighted on social media by Christian Bernieri, an Italian data protection expert, after the recall's announcement.
While ENOX is the first children's smartwatch vendor to have its products recalled on the EU market, more are bound to follow. Other smartwatches are most likely to exhibit similar privacy and security holes.
Some of these are listed in an October 2017 report from the European Consumer Organisation (BEUC). Back then, BEUC issued a public service announcement on the security and privacy concerns surrounding several children's smartwatch models, warning that most products are rife with security flaws and that they should not be in stores, to begin with.
A month later, in November 2017, Germany's Federal Network Agency (Bundesnetzagentur), the country's telecommunications agency, followed the warning and banned the sale of children's smartwatches after it classified such devices as "prohibited listening devices."
More security coverage:
- Digital sign systems allowed hacker access through default passwords
- Details published about vulnerabilities in popular building access system
- This smart light bulb could leak your Wi-Fi password
- Japanese government plans to hack into citizens' IoT devices
- IoT botnet used in YouTube ad fraud scheme
- Siri Shortcuts can be abused for extortion demands, malware propagation
- California governor signs country's first IoT security law CNET
- 5 steps to a new IoT support strategy TechRepublic