Skip to main content

Kids' Smartwatches Are a Security Nightmare

Kids' Smartwatches Are a Security Nightmare Despite Years of Warnings

Story by WIERD

Five out of six brands tested by researchers would have allowed hackers to track kids—and in some cases eavesdrop on them.

CONNECTING EVERY POSSIBLE device in our lives to the internet has always represented a security risk. But that risk is far more pronounced when it involves a smartwatch strapped to your child's wrist. Now, even after years of warnings about the security failings of many of those devices, one group of researchers has shown that several remain appallingly easy for hackers to abuse.

In a paper published late last month, researchers at the Münster University of Applied Sciences in Germany detailed their testing of the security of six brands of smartwatches marketed for kids. They're designed to send and receive voice and text messages, and let parents track their child's location from a smartphone app. The researchers found that hackers could abuse those features to track a target child's location using the watch's GPS in five out of the six brands of watch they tested. Several of the watches had even more severe vulnerabilities, allowing hackers to send voice and text messages to children that appear to come from their parents, to intercept communications between parents and children, and even to record audio from a child's surroundings and eavesdrop on them. The Münster researchers shared their findings with the smart watch companies in April, but say that several of the bugs they disclosed have yet to be fixed.

The Münster study builds on years of similar findings. Several vulnerabilities in kids' smart watches have been found in previous research including a study by the Norwegian consumer protection agency that found similarly alarming problems. The European Commission even issued a recall for one kid-focused smartwatch last year. Given those repeated exposés, the Münster researchers were surprised to find the products they tested still riddled with vulnerabilities.

"It was crazy," says Sebastian Schinzel, a Münster University computer scientist who worked on the study and presented it at the International Conference on Availability, Reliability, and Security in late August. "Everything was basically broken."

The Münster researchers focused on six smartwatches sold by JBC, Polywell, Starlian, Pingonaut, ANIO, and Xplora. But as they looked into the watches' design, they found that JBC, Polywell, ANIO and Starlian all essentially use variations on a model from the same white label manufacturer, with both the watch hardware and backend server architecture provided by a Shenzhen-based Chinese firm called 3G.

Those four devices turned out to be the most vulnerable among those tested. The researchers found, in fact, that smart watches using 3G's system had no encryption or authentication in their communications with the server that relays information to and from the parents' smartphone app. Just as with smartphones, every smart watch comes with a unique device identifier known as an IMEI. If the researchers could determine the IMEI for a target child, or simply choose one at random, they could spoof the communications from the smart watch to the server to tell it a false location for the child, for instance, or send an audio message to the server that appeared to come from the watch. Perhaps most disturbingly, they say they could similarly impersonate the server to send a command to the smart watch that initiated audio recording of the watch's surroundings that's relayed back to the hacker.

Separately, the researchers say they found multiple instances of a common form of security flaw in the 3G's backend server, known as SQL injection vulnerabilities, in which the inputs to a SQL database can include malicious commands. Abusing those flaws could have given a hacker broad access to users' data—though for legal and ethical reasons the team didn't actually attempt that data theft. "We didn’t want to harm people, but we could have gotten all the user data and all the position data, voice messages from the parents to the children, and vice versa," says Münster University researcher Christoph Saatjohann.

The researchers found that one of the four watches that used 3G's technology, the ANIO4 Touch, had built its own smartphone app to communicate with their smartwatch via their own backend server. But ANIO's code also had severe authentication flaws, they say. After a hacker connects to the ANIO server using legitimate login credentials, they could tweak their identity to send commands as any other user. Separately from 3G's vulnerabilities, that would allow a hacker to intercept locations and intercept or spoof text messages and audio messages.

"Everything was basically broken."
-SEBASTIAN SCHINZEL, MÜNSTER UNIVERSITY

The Münster researchers say yet another smartwatch, the Pingonaut Panda2, similarly lacked TLS encryption in its communications with a server, despite claiming that it used that encryption in a description of the smartwatch's security on its website. That allowed the researchers to intercept text messages sent to the smartwatch and spoof its location within a certain range. But to pull off the more serious attacks that were possible on the other watches, the researchers had to deploy a "man-in-the-middle" technique that used a software-defined radio to intercept the smart watch's GSM cellular communications and respond with its own messages. Using that set-up, they found they could monitor the watch's location and spoof text messages to the watch, just as with the other watches.

Only a smart watch sold by the firm Xplora fared relatively well in the study. Because the device had TLS encryption, researchers only managed to replay intercepted audio messages to the phone, and only by using a radio-based man-in-the-middle attack. That comparatively strong security may have resulted from Xplora fixing its vulnerabilities after being called out by the Norwegian government study of childrens' smartwatches in 2017

When reached out to the companies involved in the study for comment, only 3G immediately responded, saying that it had patched the security issues the researchers had brought to its attention and added encryption to the communications between their watches and servers. "The author did contact us and we solved all the vulnerabilities," a 3G spokesperson wrote in a statement. The researchers confirm that the flaws they found do seem to be fixed in JBC and Polywell's watches, though they didn't attempt to circumvent any of the new security measures. But in the Starlian watch, they say they were still able to spoof a watch's location and messages.

ANIO told the researchers that it had fixed the backend authentication vulnerabilities and that it has added encryption in current and future smart watch models. The Münster researchers found that they were indeed no longer able to monitor a target watch's location or intercept messages to the phone, but they could still spoof the watch's location. As for Pingonaut, when the researchers told the company about its watches' vulnerabilities, it responded that it won't fix the problem in the Panda2 watch model they tested, but that they use TLS encryption to protect communications in more recent models.

Beyond the sheer number of problems the researchers found, Münster's Schinzel says he was shocked to see that these sorts of vulnerabilities persisted after so much previous research and public warnings. "It didn’t seem to change a lot," Schinzel says. "It's 2020. How can you sell something that speaks over mobile networks, is unencrypted and has no authentication or anything? After three years, there's been plenty of time to have done a very basic security analysis against their own stuff. And they didn’t do it."

The researchers concede that not every smart watch necessarily has security flaws as egregious as those they found. They only texted six smart watch models, after all. It's also possible the repeated studies of children's smart watches over several years may have managed to root out some of the devices' worst vulnerabilities. But based on how easily they managed to hack the watches they did test, they say they have little doubt that there are more security flaws across similar devices that they didn't examine.

When asked Schinzel if three years of security analyses gave him the confidence to put these smart watches on his own children, he answered without hesitation: "Definitely not."

Comments

Post a Comment

Popular posts from this blog

Student surprise: Malware masked as textbooks and essays

Student surprise: Malware masked as textbooks and essays By- Kaspersky Malware can masquerade not only as games and TV shows, but also as educational materials. We help you understand what this malware is and how to avoid being infected. It is far too easy to pick up nasty stuff when you try to download   popular TV shows   or   game cheats . However, cybercriminals do not limit themselves to tainting entertainment; you can also stumble upon a virus when looking for work- or study-related materials. This is particularly important to keep in mind as the academic year starts, because the cost of textbooks and other materials for K–12 and college students often leads to many looking for more affordable and free alternatives online. Download an essay, get some malware thrown in Wanting to find out how frequently malicious content is encountered among materials that are posted for free access, we checked how many infections Kaspersky solutions identified in files with school- ...
1 comment
Read more

10 tips for Zoom security and privacy

10 tips for Zoom security and privacy By- Aarti Jatan Gain full control over your Zoom video conferences, family gatherings, and online bar crawls . With social distancing and quarantine measures implemented around the globe, people quickly started searching for effective means of communicating with each other. With its reported ease of use and attractive pricing, Zoom quickly rose in popularity — and people quickly figured out that Zoom’s developers weren’t fully prepared for the level of scrutiny it would receive. With so much use, Zoom’s flaws came rapidly to light. The company handled the tremendous increase of workload seamlessly and quickly reacted to security researchers’ discoveries. However, just like with each and every service, code updates will not address every complaint, but some issues are very much worth keeping in mind. So, here we offer 10 security and privacy tips for Zoom users. 1. Protect your account A Zoom account is just another account, and in setting yours up,...
Post a Comment
Read more

Woman dies during a Ransomware attack on a German hospital

Woman dies during a Ransomware attack on a German hospital It could be the first death directly linked to a cybersecurity attack A woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, in what may be the first death directly linked to a cyberattack on a hospital. The hospital couldn’t accept emergency patients because of the attack, and the woman was sent to a health care facility around 20 miles away, the Associated Press reported. The cyberattack was not intended for the hospital, according to a report from the German news outlet RTL. The ransom note was addressed to a nearby university. The attackers stopped the attack after authorities told them it had actually shut down a hospital. Health care facilities are one of the biggest targets for cyberattacks, and cybersecurity experts have warned for years that most hospitals aren’t prepared . They rely heavily on devices, like radiology equipment, that are often connected to the internet. Without those...
Post a Comment
Read more