The Security Nightmare that are Children’s Smartwatches

After years of warnings, a study finally concluded that five out of the six brands tested would’ve allowed hackers to easily track kids, and even eavesdrop on them!

In our modern age, with our lives connected to the internet, our devices have always represented a security risk. However, said risk is far more pronounced when it involves a smartwatch strapped on to your kid’s wrist. Now, a group of researchers at the Münster University of Applied Sciences in Germany detailed their testing of the security of six brands of smartwatches marketed for children, designed to send and receive voice and text messages, and let parents track their child’s location from a smartphone app.

The researchers found that hackers could abuse those features to track a target child’s location using the watch’s GPS in five out of the six brands of watch they tested. Several of the watches had even more severe vulnerabilities, allowing hackers to send voice and text messages to children that appear to come from their parents, intercept communications between parents and children, and even record audio from a child’s surroundings and eavesdrop on them. The Münster researchers shared their findings with the smartwatch companies in April, but claim that several of the bugs they disclosed have yet to be fixed.

Of the smartwatches they tested, they found that most of them come from the same manufacturer, with both the hardware and back-end server architecture coming from a Shenzhen-based Chinese firm called 3G. These devices turned out to be the most vulnerable; in fact, they found that the watches using 3G’s system had zero encryption and authentication in their communications with the parents' app. Perhaps most disturbingly, they claim that they could impersonate the server to send a command to the smartwatch to initiate an audio recording of the watch’s surroundings that is then relayed back to the hacker.

Among other vast problems the researchers found, Münster’s Sebastian Schinzel says he was shocked to see that these sorts of vulnerabilities persisted after so much previous research and public warnings. “It didn’t seem to change a lot,” Schinzel says. “It’s 2020. How can you sell something that speaks over mobile networks, is unencrypted and has no authentication or anything? After three years, there’s been plenty of time to have done a very basic security analysis against their own stuff. And they didn’t do it.”