Security flaws in children's smartwatches make them vulnerable to hackers

It's another IoT security flaw - attackers can hack smartwatches to monitor the wearer's location, eavesdrop on conversations or even communicate with the child.
Written by Danny Palmer, Senior Writer
Image: iStock

Internet connected smartwatches for children have been found to contain security vulnerabilities which allow hackers access to track the wearer's location, eavesdrop on conversations or even communicate with the child user.

And with some of these devices, data is transmitted and stored without encryption, says an investigation by the Norwegian Consumer Council (NCC).

Working alongside security firm Mnemonic, the NCC tested several smartwatches for children and found that they contained security flaws and unreliable safety features - including one which could allow an attacker to fake the location of the user - and lacked protection for consumers.

The NCC examined the terms for downloading and using apps associated with a number of watches and performed technical tests on the devices. The investigation came to the conclusion that the Xplora smartwatch, the Viksfjord smartwatch and the Gator 2 smartwatch - and their associated apps contained unacceptable security vulnerabilities.

Findings differed between watches, but tests showed how unauthorised people could access functions in the apps and watches through "various forms" of attack.

Flaws included allowing information about the child's location to be revealed, provided unauthorised access to accounts and allowing attackers to manipulate the information given to the parents about the child's location.

"The severity and extent of the security holes suggest that the companies have taken few precautions to safeguard the consumer's personal data. This is particularly serious in light of the fact that it concerns children and their movements," said the report.

See also: Your forgotten IoT gadgets will leave a disastrous, toxic legacy

In addition to the security flaws, a common theme across all watches tested is that none of the companies behind them asked for consent to the processing of personal data when setting up an account, with Gator 2 failing to supply terms of use.

In addition to this, none of the watches were found to allow users to delete accounts or data, including location data. This is despite the Xplora user manual claiming that location information is kept for a maxium of 72 hours.

Even though they're devices for children, the NCC found that the associated apps asked for more permissions than necessary for the service.

"It's very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly," said Finn Myrstad, Director of Digital Policy at the Norwegian Consumer Council.

As a result of the findings the manufacturers are being referred to the Norwegian Data Protection Authority and the Consumer Ombudsman for breaches of the Norwegian Personal Data Act and the Marketing Control Act - both based on the EU's Data Protection Directive. The NCC recommends parents don't buy the smartwatches until security standards are "satisfactory".

In response to the report, Colleen Wong, Founder & CEO of Techsixtyfour - the company behind the Gator watch - told ZDNet "We are extremely grateful to the Norwegian Data Protection Authority and have acted quickly upon their findings. We will continue to test our systems and software and ensure that they are up-to-date and capable of repelling all forms of hacking and malware".

The company has also updated its privacy policy and added that "no breach has ever taken place and no personal information has ever been taken by third parties as far as we aware of in the UK or abroad".

ZDNet has attempted to contact the other manufacturers for their response to the report, but hadn't received a reply at the time of writing.


Editorial standards