December 12, 2019
While kids who wear smartwatches can keep in closer touch with their parents during the day, unfortunately, mom and dad may not be the only ones who are tracking their children’s activities. Security researchers have discovered vulnerabilities in cheap smartwatches for children that make it possible for strangers to override parental controls and follow kids, according to a report by Bloomberg.
Rapid7, a Boston-based cybersecurity firm, purchased three smartwatches on Amazon.com, costing from $20 to $35, according to Deral Heiland, research lead for IoT Technology at the company. He said the models—GreaSmart Children’s SmartWatch, Jsbaby Game Smart Watch, and SmarTurtle Smart Watch for Kids— were picked randomly from dozens for sale on Amazon and marketed as appropriate for grade school-aged kids.
According to the Bloomberg report, all three devices offer location tracking, messaging, and chat features. They were manufactured in China and shared nearly identical hardware and software. They also had similar security issues, Rapid7 found.
The watches let authorized users view and change configuration details by texting the watch directly with certain commands. In practice, this didn’t work and “unlisted numbers also could interact with the watch,” Rapid7 said in a report.
This security issue could be fixed with a vendor-supplied firmware update, but “such an update is unlikely to materialize, given that the providers of these devices are difficult to impossible to locate,” the cybersecurity firm noted.
The watches have a default password of “123456,” but one of the watch’s manuals doesn’t mention the password, according to the researchers. Another mentioned the password in a blog but not in its printed material. The third doesn’t characterize the numbers as a password nor does it provide instructions on how to change it, according to the researchers.
“Given an unchanged default password and a lack of SMS filtering, it is possible for an attacker with knowledge of the smartwatch phone number to assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent),” Rapid7 said in its report.
Rapid7 said its researchers weren’t able to contact the sellers nor what they believe is the manufacturer of the watches, a Chinese company called 3g Electronics. The company didn’t respond to a message from Bloomberg News seeking comment.
The GreaSmart Children’s SmartWatch is no longer for sale on Amazon, according to Rapid7. GreaSmart, Jsbaby, SmarTurtle didn’t respond to a requests for comment. Oltec, a merchant that sells the SmarTurtle watch on Amazon, didn’t respond to a message sent via Amazon’s site.
“Consumers that are concerned with the safety, privacy, and security of their IoT devices and the associated cloud services are advised to avoid using any technology that is not provided by a clearly identifiable vendor, for what we hope are obvious reasons,” Rapid7 warned in its report.
Research contact: @business