Connect everything Device in our life to the Internet has always been a security risk. However, that risk is far greater when it comes to a smartwatch that is attached to your child’s wrist. Even after years of warning about vulnerabilities in many of these devices, a group of researchers has shown that some are still easy for hackers to abuse.
In an article published late last month, researchers at the Münster University of Applied Sciences in Germany detailed their tests on the security of six brands of smartwatches for children. They are designed to send and receive voice and text messages, and parents can track their child̵
The Münster study is based on similar findings over many years. Previous research identified several vulnerabilities in children’s smartwatches, including a study by the Norwegian Consumer Protection Agency that found similar alarming issues. The European Commission even published a recall for a child-related smartwatch last year. In view of these repeated exposés, the Münster researchers were surprised that the products they tested still had weak points.
“It was crazy,” says Sebastian Schinzel, a computer scientist from the University of Münster, who worked on the study and presented it at the end of August at the International Conference on Availability, Reliability and Security. “Everything was basically broken.”
The Münster researchers focused on six smartwatches sold by JBC, Polywell, Starlian, Pingonaut, ANIO and Xplora. However, while researching the watch design, they found that JBC, Polywell, ANIO, and Starlian are essentially using variations of a model from the same white label manufacturer, with both the watch hardware and backend server architecture provided by a Shenzhen-based Chinese company called 3G.
These four devices were found to be the most vulnerable among those tested. Indeed, the researchers found that smartwatches using the 3G system did not have any encryption or authentication in their communication with the server that forwards information to and from the parents’ smartphone app. Just like with smartphones, every smartwatch has a unique device identifier called an IMEI. If the researchers could determine the IMEI for a target child, or simply pick one at random, they could spoof communication from the smartwatch to the server, for example to pinpoint a wrong location for the child, or send an audio message to the server being used by the clock seemed to come. Perhaps most troubling is that they could similarly impersonate a server to send a command to the smartwatch that initiates audio recording of the watch’s surroundings, which is sent back to the hacker.
Regardless, the researchers have found several instances of a common form of vulnerability in the 3G backend server, known as SQL injection vulnerabilities, where input into an SQL database could contain malicious commands. Misusing these bugs could have given a hacker widespread access to user data – although the team did not actually attempt this data theft for legal and ethical reasons. “We didn’t want to harm people, but we could have received all user data and position data, voice messages from parents to children and vice versa,” says Christoph Saatjohann, researcher at the University of Münster.