The smartwatches on your children’s wrists may let strangers track them in real time and contact them directly, according to a report released this month that uncovers severe shortcomings in some of these products and their mobile apps.
The Norwegian Consumer Council (NCC) commissioned an investigation into security measures available for the Gator 2, Tinitell, Viksfjord and Xplora devices marketed as smartwatches for children. They all make and receive calls, offer GPS tracking, and include support for a contact list. Additional capabilities vary from text communication, voicemail, geo-fencing and SOS button to blocking the shutdown of the device.
The technical assessment, conducted by IT security firm Mnemonic, reveals alarming problems, ranging from the account registration process to where private information is sent and stored. These matters are clear in the user agreement document typically available before setting up an account, which requires consent from the user. Of the four, only Tinitell asks for consent at registration, while Gator has no user terms. The three products collect personal data without user acceptance – an infringement of European data and consumer protection laws, and allow them to use it for marketing.
Mnemonic discovered multiple methods to compromise Gator 2 and Viksfjord devices, without raising an alarm about unauthorized activity. The company says in the report for the NCC that they “see no way for consumers to protect themselves,” adding that “discontinued use will only prevent active tracking of the watch and further collection of data.”
Even more, these two smartwatches are vulnerable to man-in-the-middle (MitM) attacks that permit manipulation of the location data from the device. As a consequence, an attacker could monitor the location of the child and make it look as if the child is in a safe place. Furthermore, Viksfjord can initiate a call without user interaction to a specific phone number, turning it into a spying gadget.
The report from NCC points out issues in all four devices tested by Mnemonic, raising concern among parents looking to keep an eye on their children’s whereabouts. Instead of providing peace of mind, the devices show they could serve to do more harm by sending personal data from children to third parties. Gator, for instance, delivers the information in plain text to a server in China.
The greater concern is that some of these smartwatches are sold under different brand names, making it difficult to pinopoint the devices that pose a risk to the security of the wearer. Consumers should make sure that the IoT products they buy meet a minimum of security standards and, most importantly, know who is responsible for them.
Image credit: Norwegian Consumer Council (NCC)
tags
September 06, 2024
September 02, 2024
August 13, 2024