Yet another budget kids smartwatch has been sold to thousands of consumers without the manufacturer putting much thought into the security of its users and in this case potentially exposing children to stalkers, kidnapping or worse.
Researchers at antivirus testing firm AV-Test.org issued a warning on Monday about the SMA-WATCH-M2 smartwatch, which offers parents remote monitoring functionality via a GPS tracker connected to a SIM card.
The product is marketed as a tool for giving parents peace of mind, but the researchers found the smartwatch manufacturer SMA, which is based in Shenzhen, China, is endangering users by storing extremely sensitive user data on a server that can be accessed by a “completely unsecured online interface”, which doesn’t encrypt communications and has a broken authentication mechanism.
Details on the server include exact and real-time user location data, phone numbers, user names, user IDs, registered address data, pictures and conversations from more than 5,000 children from Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands and China. The researchers were also able to access 10,000 parent accounts from the parent's smartphone child monitoring app.
"Although an authentication token is generated and sent to requests to the Web API to prevent unauthorized access, this token is not checked on the server side and is therefore inoperative,” explained AV-Test.org's Maik Morgenstern.
AV-Test-org had no luck getting SMA to respond to the vulnerability report, so the issues remain unfixed. AV-Test.org obtained a test watch from German distributor, Pearl, which has since stopped selling the SMA-WATCH-M2. SMA however still sells the watch via other distributors.
Another risk identified is the smartwatch’s corresponding smartphone app for parents. The user IDs exposed by the vulnerable web API make the smartphone app a risk to kids, since the app automatically logs into the ID belonging to the account, without requiring a password.
“The app belonging to the Chinese children’s watch also provides attackers with the opportunity to conveniently access any account and, like the legitimate user, to use the full functionality of the parent app, including position determination, voice messages, telephony and all other functions. There is no warning message to other users of the app,” writes Morgenstern.
Morgenstern argues the combined security shortcomings of the web interface and smartphone app put kids in "real danger". It creates frightening scenario where an attacker knows exactly where the child is located, can call the child directly and can also lock parents out of the child's account without the parent knowing someone else had linked the smartphone app to the child's device. Additionally, the attacker has access to a trove of personal information about the child, including the names of parents and images of both the child and parent.
The vulnerability is another reminder that cheap IoT devices, often imported from China, could become a security headache for users who lack the expertise to assess these devices prior to purchasing them.
Kids smartwatches have been in the spotlight for bad security before. The Norwegian Consumer Council (NCC) in 2017 warned parents against buying three smartwatch models after finding similar flaws to the ones identified SMA’s kids smartwatch.
Germany’s telecoms regulator Federal Network Agency (Bundesnetzagentur) subsequently banned all kids smartwatches after deeming them to be illegal listening devices because the smartphone app allowed parents to listen unnoticed to a child’s environment. It also found that parents were using the remote monitoring functionality to listen to teachers in class.