Kids Smartwatch Isn't Nearly Secure Enough, Report Reveals

The toys are watching

Key Takeaways

  • A Chinese-made smartwatch for children allows unauthorized users to take pictures and listen to audio, according to a report.
  • The incident highlights the issue of internet security and gadgets for children, experts say.
  • Smartwatches pose a particular privacy risk as they contain a SIM card and GPS locator, one observer says.
The Xplora 4 smartwatch being submerged in water
Xplora

A smartwatch aimed at kids lets unauthorized users take snapshots and listen in on conversations, a new report says. 

The manufacturer of the watch, the Chinese technology company Qihoo 360, engineered the watch’s software to allow the unauthorized surveillance, according to the report by the security firm mnemonic. The watch is "re-branded and sold to European and US markets by the Norwegian firm Xplora, who claims to have sold more than 350,000 smartwatches for children globally," the report says.

"The new discovery of a backdoor in the Xplora smartwatch is problematic, but not surprising," Alvaro Cardenas, a professor of Computer Science and Engineering at the University of California, Santa Cruz, said in an email interview. "A kind interpretation is that it might have been a feature in development that allowed parents to take pictures of their children or allowed them to see the surroundings if a child was kidnapped. 

"A more problematic interpretation is that the smartwatches can be used to spy on children. In either case, this functionality shouldn't have been kept in the final release of the smartwatch."

A Window Into a Bigger Problem

The new report highlights the issue of internet security and gadgets for children, experts say. 

"The vast majority of people today don’t realize just how much of their private data is now being stored on devices beyond their phones, tablets, and laptops," John Shegerian, Co-Founder and Executive Chairman of ERI, an electronics destruction company, said in an email interview.

"In 2020 we’re talking about everything from your car’s dashboard to your fitness equipment to household items like smart fridges and microwave ovens and yes, this also includes children’s electronic games and toys."

The backdoor into the Qihoo smartwatch appears to have been intentionally manufactured, the report’s authors write. It can be activated by sending SMS commands to the watch.

"To trigger the backdoor, knowledge of a secret encryption key is required," the authors wrote. "Our research leads us to believe that the functionality cannot be used without knowledge of the key. However, as the technical run-through will show, there are several parties with the necessary access, including Xplora and Qihoo 360."

An attempt to reach the company for comment was unsuccessful.

"The new discovery of a backdoor in the Xplora smartwatch is problematic, but not surprising."

Watches That Watch You

Smartwatches pose a particular privacy risk as they contain a sim card and GPS locator "providing the location of your child as he or she uses the toy," Shegerian said. 

"Many watches and similar devices collect, transmit and store large amounts of personal data, including location data," he continued. "Some of the watches do not even use basic security techniques such as encryption in transit to protect the data and can easily be accessed by third parties without consent."

Xplora banner image showing a boy wearing the smartwatch
Xplora 

Connected children’s products, such as toys, have made headlines for years due to security and privacy issues, Gonda Lamberink, Senior Business Development Manager at UL said in an email interview.

"A scary scenario much-feared by parents is that hackers can effectively take control of children’s products, i.e. impersonate someone they’re not, such as through a built-in speaker in a doll or teddy bear, taking over their "voice" through an insecure, local Bluetooth connection having open pairing, not requiring any password, or having weak password security," she added.

Baby Monitors Pose a Risk

Some of the most problematic devices from a privacy perspective are baby monitors, Cardenas said. Cameras connected to the internet have been "historically poorly configured and designed," he added. "They allow attackers to listen to private conversations inside homes and, perhaps more problematically, talk to children and babies in the house."

"A scary scenario much-feared by parents is that hackers can effectively take control of children’s products."

One disturbing example of this issue was the recent case of a girl who said there was a monster in her room. A couple of days later, the mother walked in and realized her baby monitor was playing pornographic videos. 

For parents, the smartwatch study taps into their deepest fears about exposing their children to strangers. Experts have no clear answer to the problem but it may be enough to make many people think carefully about their next tech purchase for their kids.