The Norwegian Consumer Council (NCC) has warned parents against three smartwatch models aimed at kids after finding easily exploitable security flaws that can turn them into a spying device.
NCC has reported the manufacturers of the Xplora, Viksfjord, and Gator 2 to the Norwegian Data Protection Authority and the Consumer Ombudsman, alleging they and their associated apps breach Norway’s Personal Data Act and the Marketing Control Act.
NCC contracted Oslo-based security firm Mnemonic to test the devices’ security, privacy, and emergency functionality.
The only watch that passed its security test was a Swedish-brand smartwatch called Tinitell, but it notably had far more limited functionality than the others. Tintell was also the only watch that sought a parent’s consent at the time of registration.
Besides security flaws, NCC argue that unreliable emergency features can create a false sense of security for parents. It notes that Viksfjord and Gator 2 are marketed with the slogans ““Your peace of mind, your children’s freedom”.
The study found the SOS button on the Gator 2 watch, from Chinese firm Gator Group, only worked once and required a restart for SOS to work again. Sometimes it didn’t work at all.
“It’s very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly,” said Finn Myrstad, Director of Digital Policy at NCC.
“Importers and retailers must know what they stock and sell. These watches have no place on a shop’s shelf, let alone on a child’s wrist.”
NCC last year raised an alarm over several smart toys, including the talking doll My Friend Cayla, which the German telecommunications authority banned after deeming it an concealed spying device.
Mnemonic redacted the methods they used to exploit each smartwatch's flaws in its report, however it notes the Gator 2 was easy pair with a rogue online account, giving an attacker access to the location of the watch, location history, and the ability to send voice messages to the watch, remove geofences, and remove phone numbers in the contact list.
They also found there was no way to delete data collected from paired online accounts. And there were no alerts sent to the real account when a second account was paired.
“Based on our understanding of the product, it appears very difficult for Gator to successfully patch and secure their service to a level that reasonably protects customers, without a major redesign of the Gator 2 product, back-end service, and mobile app,” Mnemonic wrote.
NCC described the market for kids smartwatches as "chaotic" and filled with "cheap Chinese products" that are imported and rebranded, which made it difficult to find out who was responsible for the product.
The Viksfjord watch, which sounds Norwegian, is believed to be made by Chinese firms 3G Electronic and Wonlex. It’s sold in Norway through the “GPS for Barn” or GPS for Kids site and harbors a serious flaw that probably can't be patched.
If an attacker can find the Viksfjord's IMEI or phone number, they could “completely compromise” the user account, which gives the attacker full access to the device. Also, since the registration code to pair the device with an account is on the back of the watch, anyone could ask the child to let them look at the device and from there pair the watch to their account.
“Similar to the account takeover attack with the Gator 2, we see no way for consumers to protect themselves. Discontinued use [of the Viksfjord watch] will only prevent active tracking of the watch and further collection of data,” Mnemonic notes.
The Gator 2 and Viksfjord were both vulnerable to a man-in-the-middle attack that allows an attacker to spoof the location the watch to each manufacturers’ server.
The Viksfjord watch also allowed an attacker to instruct the device to call back a number of their choosing, allowing the attacker to eavesdrop on the child.
Mnemonic redacted most details about the Xplora watch flaw, however they reported being able to access other Xplora users location data, names, and phone numbers.