Connecting every possible device in our lives to the internet has always represented a security risk. But that risk is far more pronounced when it involves a smartwatch strapped to your child’s wrist. Now, even after years of warnings about the security failings of many of those devices, one group of researchers has shown that several remain appallingly easy for hackers to abuse.
In a paper published late last month, researchers at the Münster University of Applied Sciences in Germany detailed their testing of the security of six brands of smartwatches marketed for kids. They’re designed to send and receive voice and text messages, and let parents track their child’s location from a smartphone app. The researchers found that hackers could abuse those features to track a target child’s location using the watch’s GPS in five out of the six brands of watch they tested. Several of the watches had even more severe vulnerabilities, allowing hackers to send voice and text messages to children that appear to come from their parents, to intercept communications between parents and children, and even to record audio from a child’s surroundings and eavesdrop on them. The Münster researchers shared their findings with the smartwatch companies in April, but say that several of the bugs they disclosed have yet to be fixed.
The Münster study builds on years of similar findings. Several vulnerabilities in kids’ smartwatches have been found in previous research including a study by the Norwegian consumer protection agency that found similarly alarming problems. The European Commission even issued a recall for one kid-focused smartwatch last year. Given those repeated exposés, the Münster researchers were surprised to find the products they tested still riddled with vulnerabilities.
“It was crazy,” says Sebastian Schinzel, a Münster University computer scientist who worked on the study and presented it at the International Conference on Availability, Reliability, and Security in late August. “Everything was basically broken.”
The Münster researchers focused on six smartwatches sold by JBC, Polywell, Starlian, Pingonaut, ANIO, and Xplora. But as they looked into the watches’ design, they found that JBC, Polywell, ANIO, and Starlian all essentially use variations on a model from the same white label manufacturer, with both the watch hardware and backend server architecture provided by a Shenzhen-based Chinese firm called 3G.
Those four devices turned out to be the most vulnerable among those tested. The researchers found, in fact, that smartwatches using 3G’s system had no encryption or authentication in their communications with the server that relays information to and from the parents’ smartphone app. Just as with smartphones, every smartwatch comes with a unique device identifier known as an IMEI. If the researchers could determine the IMEI for a target child, or simply choose one at random, they could spoof the communications from the smartwatch to the server to tell it a false location for the child, for instance, or send an audio message to the server that appeared to come from the watch. Perhaps most disturbingly, they say they could similarly impersonate the server to send a command to the smartwatch that initiated audio recording of the watch’s surroundings that’s relayed back to the hacker.
Separately, the researchers say they found multiple instances of a common form of security flaw in the 3G’s backend server, known as SQL injection vulnerabilities, in which the inputs to a SQL database can include malicious commands. Abusing those flaws could have given a hacker broad access to users’ data—though for legal and ethical reasons the team didn’t actually attempt that data theft. “We didn’t want to harm people, but we could have gotten all the user data and all the position data, voice messages from the parents to the children, and vice versa,” says Münster University researcher Christoph Saatjohann.