When it comes to the security defects in kids’ smart watches: “Once is happenstance. Twice is coincidence. The third time it’s enemy action.” For years, these tracking-cuffs have been the locus of awful security scandals. Now it’s happened again.
Some background: in 2017, the Norwegian Consumer Council audited 4 brands of kids’ smart watch and revealed that strangers could monitor children’s movements and see where they’ve gone, covertly listen in on them, and steal their personal information.
The watches gathered copious amount of data and sent it, in the clear, to offshore servers. The watches incorporate cameras and the photos children take were also easily plundered by hackers.
A year later, Pen Test Partners audited the popular MiSafes watches for 3-12 year olds were also insecure, and could be used as covert listening and tracking devices, and even to alert attackers when a target child was nearby.
But it’s been a year since that happened, and guess what? The watches are still flaming garbage that you strap to your kids’ wrists. Writing in Wired, Andy Greenberg reports on a Münster University of Applied Sciences paper analyzing the watches.
* send voice and text messages to children that appear to come from their parents
* intercept communications between parents and children
* as listening bugs
The manufacturers were informed of all this in April, and they didn’t fix it.
It’s not like these are subtle errors. The watches have no authentication, no encryption, and can be tracked with their SIMs’ IMEIs.
The backend servers are vulnerable to SQL injections.
“When WIRED asked Schinzel if three years of security analyses gave him the confidence to put these smartwatches on his own children, he answered without hesitation: ‘Definitely not.’”
