The Norwegian Consumer Council has uncovered a litany of critical vulnerabilities and privacy shortcomings in several smartwatches specifically targeted at children.
Among other things, malicious agents can easily hijack control of the watches and turn them into covert spying devices, capable of listening in and keeping tabs on the children.
The Consumer Council made the disturbing discovery in collaboration with security firm Mnemonic, which assisted in conducting the security and privacy tests. The shocking findings suggested that, contrary to keeping children safe as advertised, the devices put them at risk.
The three flawed smartwatches all came from different manufacturers. The companies behind the glitchy devices are UK-based XPLORA, local brand Viksfjord, and Gator. All three devices also come with their own mobile apps.
According to the findings, attackers could seize control of the watches to watch, track and eavesdrop on children.
They could also establish contact with the kids abusing the same exploit. The report further notes the watches’ location settings could be spoofed to trick the children into thinking they are somewhere where they aren’t.
The watches also suffered from badly implemented safety features. Parents could, for instance, request to be notified when the child leaves a certain area – or conversely, enters a forbidden area – but Mnemonic and the council found that the features were dangerously unreliable when it came to sending out alerts.
Lastly, the apps associated with the watches lacked proper terms and conditions – in addition to missing the option to delete user data or accounts.
The council also examined the Tinitell watch, but was unable to exploit the device to the same extent as the previous three.
“It’s very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly,” commented the Council’s Director of Digital Policy Finn Myrstad.
“Importers and retailers must know what they stock and sell. These watches have no place on a shop’s shelf, let alone on a child’s wrist,” Myrstad added further.
The council has since forwarded their research to the Norwegian Data Protection Authority and the Consumer Ombudsman for breaches of the Norwegian Personal Data Act and the Marketing Control act. The complaints are based on the EU’s Data Protection Directive and the Directive on unfair terms in consumer contracts.
The press release further notes that the offending manufacturers continue to actively promote the watches even after they were warned of the violations. The worst part is that the devices are available in a number of other EU member states.
In the meantime, the Council advises consumers from refraining from buying the affected smartwatches until the manufacturers have amended the vulnerabilities. Their disclosure further guides people to ask for a refund, pointing to the security flaws discovered.
Published October 18, 2017 — 11:26 UTC