- Researchers have found major security flaws in childrens’ smartwatches that could let hackers hijack them.
- In some cases, they could be used to track kids’ locations, eavesdrop on them, or send them messages.
- At least one retailer has since pulled some of the devices off its shelves.
Security flaws in a number of smartwatches aimed at children means hackers and strangers could hijack them and use them to track and eavesdrop on kids.
The various issues were discovered by security firm Mnemonic, working with the Norweigan Consumer Council, after it analysed the Gator, Tinitell, Viksfjord/SeTracker, and Xplora smartwatches.
The devices are marketed as a way for parents to keep tabs on and communicate with their children via apps — but some have very serious security flaws, and fall short of various standards. “Three of the four watches that were tested were found to contain significant security flaws,” Mnemonic wrote in its report. “The flaws are not technically difficult to exploit, and in two cases, allow a third party to surreptitiously take control over the watch.”
The Gator 2, Viksfjord/SeTracker, and Xplora devices were all found to have “multiple serious and practical attacks.” In the Gator 2, for example, this includes hijacking the device, allowing the attacker to track its current location (and hence, the location of its child wearer), location history, the ability to send voice messages to the watch, and editing contact phone numbers it stores.
The Viksfjord/SeTracker, meanwhile, can be turned into a “remotely controllable listening device,” or give an attacker the ability to communicate directly with the child.
And the researchers were able to access sensitive data from other Xplora customers, including locations, names, and phone numbers — suggesting it is not being stored properly.
Meanwhile, none of the four devices give users the option to delete their accounts or have location data delete automatically after a set period of time. Only the Tinitell promises to implement reasonable security standards, Mnemonic said.
John Lewis, the British high street retailer, has since stopped selling a Gator kids’ smartwatch, telling The Telegraph: “As a precautionary measure we have withdrawn from sale all Gator smartwatch products while we await further advice and reassurance from the supplier.”