Major security issues discovered in children smartwatches

Dec 12, 2019 09:06 GMT  ·  By
There are tons of smartwatches for children available for purchase from Amazon
   There are tons of smartwatches for children available for purchase from Amazon

Research conducted by security company Rapid7 revealed that three smartwatches specifically built to be used by children come with major vulnerabilities, including a hidden default password and easy SMS filter bypassing.

The three tested models are Children's SmartWatchG36 Children's Smartwatch, and SmarTurtles Kid's Smartwatch, all of them sold on Amazon.

Rapid7 discovered that despite the devices coming with a SMS-based interface that’s supposed to allow only approved phone numbers to send commands, the filtering doesn’t actually work correctly, allowing pretty much any phone number to change the configuration. This means an unauthorized individual can access the settings of the smartwatch and pair it with a different phone, at which point they get full access to the device, including to tracking capabilities.

No contact information

Also worrying is the way these watches handle the default password that parents should technically be able to use to protect the devices and restrict access to their settings only to authorized individuals.

In all three cases, the password was set to “123456” with no documented way to change it.

“One manual does not mention the password at all, another mentions it in a translated blog about the product (but not in the printed material), and a third doesn't characterize the string as a password nor provides any instruction on how to change it,” Rapid7 explains.

Getting in touch with the manufacturer is pretty much impossible as well. The study findings reveal that two of the vendors only show up on Amazon, while the third doesn’t have any contact information or privacy policy.

And of course, there are no workarounds for the security flaws discovered in their products, and Rapid7 warns that unless a firmware update is shipped, the risk of someone else getting access to the smartwatch remains at a worrying high level.

“Such an update is unlikely to materialize given that the provider of these devices are difficult to impossible to locate,” the company concludes.