Getting a smartwatch for your child seems like a great idea. But it’s not. At least not from a security and privacy perspective. A research team from Münster University in Germany analyzed six popular brands of smartwatches for kids. They discovered several severe security issues. Even after all these years, some manufacturers seem not to take warnings seriously.
Smartwatches’ Endless Capabilities
Today, the capabilities and features of smartwatches are endless. From tracking basic to more advanced fitness metrics, to displaying smartphone notifications, tracking your moves via GPS, monitoring your health, camera and music features, and more.
While many smartwatches for children are more basic than adult versions, they certainly bring some features to the table that are very appealing. An SOS button or a geofencing function, for example, or simply the possibility to make two-way calls, add a calendar, or set a timer. Thus, giving your little one a bit more of the independency they so yearn.
Over the years, however, the growing interest in smartwatches for children has sparked a number of privacy and security concerns. Having a smartwatch on your wrist, is one thing. But when you strap a smartwatch to a child’s wrists, the risks suddenly become far more serious.
A False Sense of Security
Privacy can be a problem with any smart technology. From cameras, speakers, doorbells and all sorts of wearables, all the way to baby monitors and Internet-connected toys. What’s more, consumers are now more connected than ever. We save and share information, but rarely delete it. Buy and use IoT devices, without adjusting privacy settings. In the end, it is up to the user to decide whether the benefits outweigh the risks. But what if that user is a child?
Tests and studies of children’s smartwatches have repeatedly uncovered critical security flaws. Some so severe that consumer organizations in both Europe and the US pursued the findings from studies like the Norwegian Consumer Council’s “WatchOut Report” with their respective authorities and warned smartwatch makers. That all happened way back in 2017.
Now in 2020, apparently not much has changed. A recent study by researchers of Münster University of Applied Sciences in Germany found that the smartwatches they tested were riddled with vulnerabilities. So, while smartwatches are meant to provide more peace of mind for parents, in reality, many of the “safety-enhancing” features expose children to the exact opposite. Thus, giving parents a false sense of security.
The researchers analyzed six smartwatches and also reverse engineered the corresponding smartphone apps. The watches they looked at were: Starlian Tracker GM11, Polywell S12, JBC Kleiner Abenteurer (Little Adventurer), Pingonaut Panda2, Anio4 Touch, and Xplora Go. Four of the devices, namely the ones from Starlian, Polywell, JBC, and Anio, are all created by the same Shenzhen-based white label (OEM) manufacturer, called 3G.
The Münster study results show that most smartwatches for children contain critical security vulnerabilities. The four devices using 3G’s system turned out to be the most vulnerable. Some contained flaws that even attackers with very little knowledge of their victim could easily exploit.
“We found that an attacker can spoof the position of a watch on three out of the four tested platforms and can spoof voice messages from the watch on two of them. Additionally, an attacker can perform a complete takeover on at least one of the platforms, allowing them to track victims. We also found several privacy problems with the watch platforms”, the report said. In some cases, if the researchers had wanted to, they could even have obtained all the user and position data, as well as all the voice messages from parents to children and vice versa.
The Better Ones Out of the Bunch
Surprisingly, 50% of the smartwatches sampled turned out to be OEM versions, while the research team explicitly bought premium, “German” smartwatches. One can imagine that a parent concerned about privacy and security would specifically look for a home-grown brand. And willingly pay the up to € 110 difference between the premium brand and a 3G smartwatch made in China. Unfortunately, in many cases, they unknowingly buy the exact same thing, at a premium price.
The researchers’ overall conclusion was that smartwatches for children are severely lacking in terms of privacy and security. Only two out of the six smartwatches have good security. First up is the Xplora Go, where the researchers were unable to identify any critical vulnerability. In second place is the Pingonaut Panda2, where the team was unable to identify severe vulnerabilities in the application.
Münster University disclosed all vulnerabilities to the vendors with the standard 90-day disclosure deadline. They also supported them in developing fixes. In their report, the researchers stated that JBC, ANIO, Pingonaut, and 3G Electronics were very cooperative and provided feedback on the disclosure. In the meantime, most vulnerabilities seem to be fixed. Also, some newer models now use, for example, TLS encryption. So maybe, just maybe, more manufacturers are finally taking security vulnerabilities seriously.