Internet connected smartwatches for children have been found to contain security vulnerabilities which allow hackers access to track the wearer's location, eavesdrop on conversations or even communicate with the child user.
And with some of these devices, data is transmitted and stored without encryption, says an investigation by the Norwegian Consumer Council (NCC).
Working alongside security firm Mnemonic, the NCC tested several smartwatches for children and found that they contained security flaws and unreliable safety features - including one which could allow an attacker to fake the location of the user - and lacked protection for consumers.
The NCC examined the terms for downloading and using apps associated with a number of watches and performed technical tests on the devices. The investigation came to the conclusion that the Xplora smartwatch, the Viksfjord smartwatch and the Gator 2 smartwatch - and their associated apps contained unacceptable security vulnerabilities.
Findings differed between watches, but tests showed how unauthorised people could access functions in the apps and watches through "various forms" of attack.
Flaws included allowing information about the child's location to be revealed, provided unauthorised access to accounts and allowing attackers to manipulate the information given to the parents about the child's location.
"The severity and extent of the security holes suggest that the companies have taken few precautions to safeguard the consumer's personal data. This is particularly serious in light of the fact that it concerns children and their movements," said the report.
In addition to this, none of the watches were found to allow users to delete accounts or data, including location data. This is despite the Xplora user manual claiming that location information is kept for a maxium of 72 hours.
Even though they're devices for children, the NCC found that the associated apps asked for more permissions than necessary for the service.
"It's very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly," said Finn Myrstad, Director of Digital Policy at the Norwegian Consumer Council.
As a result of the findings the manufacturers are being referred to the Norwegian Data Protection Authority and the Consumer Ombudsman for breaches of the Norwegian Personal Data Act and the Marketing Control Act - both based on the EU's Data Protection Directive. The NCC recommends parents don't buy the smartwatches until security standards are "satisfactory".
In response to the report, Colleen Wong, Founder & CEO of Techsixtyfour - the company behind the Gator watch - told ZDNet "We are extremely grateful to the Norwegian Data Protection Authority and have acted quickly upon their findings. We will continue to test our systems and software and ensure that they are up-to-date and capable of repelling all forms of hacking and malware".
ZDNet has attempted to contact the other manufacturers for their response to the report, but hadn't received a reply at the time of writing.
- Internet of Things security: What happens when every device is smart and you don't even know it?
- Cyberwar: A guide to the frightening future of online conflict
- Smart toys are a minefield, for both toymakers and parents [CNET]
- Internet of Things security woes: Can smarter consumers save the IoT from disaster?
- 94% believe unsecured IoT devices could lead to 'catastrophic' cybersecurity attack [TechRepublic]