Kid Tracking 'Smart' Watches, Like Most IOT Devices, Prove Not So Smart, Easy To Hack

from the internet-of-broken-things dept

We've long noted how the painful lack of security and privacy standards in the internet of (quite broken) things is also a problem in the world of connected toys. Like IOT vendors, toy makers were so eager to make money, they left even basic privacy and security standards stranded in the rear view mirror as they rush to connect everything to the internet. As a result, we've seen repeated instances where your kids' conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.

When this problem is studied, time and time again we're shown how most modern, internet-connected toys can be fairly easily hacked and weaponized. Granted since we haven't even gotten more pressing security and privacy problems tackled (like the vulnerability of our critical infrastructure), problems like Barbie's need for a better firewall tend to fall by the wayside.

Another recent case in point: A location-tracking smartwatch worn by thousands of children has proven... you guessed it... rather trivial to hack. The MiSafes Kid's Watcher Plus is a "smart watch for kids" that embeds a 2G cellular radio and GPS technology, purportedly to let concerned helicopter parents track their kids' location at all times. But security researchers at UK's Pen Test Partners have issued a report calling the devices comically unsecure. As with many IOT devices, the researchers found that the devices and systems they rely on did not encrypt any of the data being transmitted:

"I proxied the iOS app through Burp and could see that the traffic was not encrypted. Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children. Profile pictures, names, gender, date of birth, height, and weight all transmitted across the internet in cleartext."

The researchers were quick to note that the only check the system's API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, allows an attacker to return the watch location and device_id associated with that family. Since the watch updates the GPS coordinates to the API every five minutes, it provides a hacker near real-time insight into your kid's location. Worse, spoofing a caller ID would let said theoretical attacker covertly listen in on your kids, or contact them... while pretending to be you:

"The watch did have some protection against arbitrary people calling the child. It implemented a whitelist of authorised phone numbers that the watch would both call and receive. The problem with that is that Caller IDs can be spoofed. So as a proof-of-concept, I used crazycall.net to spoof the Caller ID to a test watch.

Using the data from the API, an attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch. As shown below, the child would think that it was their Dad that was calling. Would a child do what they were asked if a call came in like this?

Yeah, that's not creepy at all.

Of course like so many IOT devices, MiSafes' child-tracking smartwatches, which have been on the market in since 2015, are made by a Chinese company that had no interest responding to inquiries by security researchers. And being sold at around £9 ($11.50) per pop, there's certainly no incentive for its makers to suddenly start dramatically improving their security and privacy standards. It's another reason why efforts to standardize the inclusion of security and privacy problems in product reviews is something we all need to get behind, since it's abundantly clear legislation and regulation alone can't really address the problem.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: hacking, internet of things, iot, security, smart watch


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 20 Nov 2018 @ 8:00pm

    Formatting Error!!!!

    link to this | view in thread ]

  2. identicon
    Anonymous Coward, 21 Nov 2018 @ 5:07am

    I beg you, learn to headline

    A hyphen between "kid" and "tracking" is all that it would take to make this headline perfectly understandable at a glance.

    Instead, you have to get to "prove" before you realize it's not about a kid who is tracking watches.

    link to this | view in thread ]

  3. identicon
    Annonymouse, 21 Nov 2018 @ 8:20am

    So a relatively cheap gps tracker + listening device that could be deployed anywhere.
    What is the battery life?
    How easy is it to disable the speaker to avoid inadvertently alerting anyone to it's presence?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 21 Nov 2018 @ 9:41am

    Re:

    How easy is it to disable the speaker to avoid inadvertently alerting anyone to it's presence?

    From the report: The call was automatically answered, the watch briefly displayed a “Busy” message, then the screen went blank. The watch did not ring, so no one would know who was listening in or from where.

    Reminds me of how pentesters have called elevator emergency phones to spy on "private" conversations. (Many will silently auto-answer.)

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 21 Nov 2018 @ 9:43am

    Re: I beg you, learn to headline

    Regardless of whether we're talking about headlines, isn't that hyphen required by English grammar anyway?

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 21 Nov 2018 @ 11:54am

    Re: Re: I beg you, learn to headline

    Shh, Be quiet. Be vewy quiet. I am twacking a smaaaaaawt watch.

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 21 Nov 2018 @ 11:59am

    Dafuq is with that phone icon? Did they copy that from win 95 or hyperterminal? Do children recognize that as "phone"?

    Also the twitterish bird and hot air balloon. It seems the sort of thinking that went into security here also pervades the rest of the product. It all but screams "don't buy me!"

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 23 Nov 2018 @ 4:16pm

    Precedents they set

    I am deeply disturbed about how many parents seem to be determined to act like they are characters in a YA Dystopia Novel and the normalization of the utterly fucked up.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.