Researchers have warned that a children’s smartwatch has been leaking users’ personal and GPS data, exposing them to multiple threats.
Created by the Chinese manufacturer, Shenzhen Smart Care Technology (SMA) Ltd., the SMA M2 smartwatch helps parents track their kids’ location, make phone calls, send messages and even send them notifications when their child leaves a designated area.
However, researchers at AV-TEST, have discovered that real-time GPS position data and other personal information of smartwatch users was left unencrypted due to a publicly accessible web API.
Other data left unencrypted included the names of both children and their parents; children’s addresses and their ages.
In a blog post, Malik Morgenstern, CTO at AV-TEST said: “The Chinese children’s watch is anything but a product for the protection of children, but on the contrary a real danger. It offers potential attackers the ability to identify the location of more than 5,000 children and access data from over 10,000 parent accounts.”
Researchers also discovered a vulnerability that allows attackers to intercept and manipulate conversations.
Within the complementary smartphone app director, a configuration file can be used to connect to children’s smartwatches using their user IDs. No authentication is required to do so.
As user IDs are also exposed on the publicly accessible web API, a threat actor can download the app and put a child’s user ID to connect with their phone. The threat actor can then send messages and phone calls.
“Accordingly, the app belonging to the Chinese children’s watch also provides attackers with the opportunity to conveniently access any account and, like the legitimate user, to use the full functionality of the parent app, including position determination, voice messages, telephony and all other functions, said Morgenstern.
The vulnerabilities were found within smartwatches across Turkey, Mexico, Hong Kong, Belgium, Spain, Poland, the Netherlands and China.
Despite the researchers contacting SMA regarding their findings, the smartwatch is still being sold via various distributors worldwide. However, German distributor, Pearl has taken the watch off the market.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.