If you bought a smartwatch for your kid, you may want to reconsider it. According to a recent alarming discovery, a line of smartwatches designed exclusively for children could be spying on them. A researcher has discovered an undocumented backdoor that allows a third person to access a camera, wiretap voice calls, and track your child’s location in real-time.
According to Ars Technica, the problem was found in Xplora’s X4 smartwatch. After some digging and reverse engineering, Harrison Sand of Norwegian security company Mnemonic found a backdoor that had gone undetected before. He found commands for tracking and reporting the watch’s real-time location, accessing the camera and sending a snapshot to an Xplora server, and wire-tapping phone calls.
Although Xplora is based in Norway, Sand reported that 19 of X4’s pre-installed apps were developed by China-based Qihoo 360. I’m not implying that every gadget made in China will spy on you, but the thing is that Qihoo 360 was blacklisted in the US over spying controversies.
Now, according to Ars Technica, not everything is as grim as it sounds. Although there is access to the smartwatch, it may not be that easy to use it. “To make use of the functions, someone would need to know both the phone number assigned to the watch […] and the unique encryption key hardwired into each device,” this source notes.
Xplora issued a statement regarding the recently discovered backdoor. The company confirmed that obtaining both the key and phone number wouldn’t be easy, as well as collecting the data. They also added that patch is on the way. Here is the statement in full:
“We want to thank you for bringing a potential risk to our attention. Mnemonic is not providing any information beyond that they sent you the report. We take any potential security flaw extremely seriously.
It is important to note that the scenario the researchers created requires physical access to the X4 watch and specialized tools to secure the watch’s encryption key. It also requires the watch’s private phone number. The phone number for every Xplora watch is determined when it is activated by the parents with a carrier, so no one involved in the manufacturing process would have access to it to duplicate the scenario the researchers created.
As the researchers made clear, even if someone with physical access to the watch and the skill to send an encrypted SMS activates this potential flaw, the snapshot photo is only uploaded to Xplora’s server in Germany and is not accessible to third parties. The server is located in a highly-secure Amazon Web Services environment.
Only two Xplora employees have access to the secure database where customer information is stored and all access to that database is tracked and logged.
This issue the testers identified was based on a remote snapshot feature included in initial internal prototype watches for a potential feature that could be activated by parents after a child pushes an SOS emergency button. We removed the functionality for all commercial models due to privacy concerns. The researcher found some of the code was not completely eliminated from the firmware.
Since being alerted, we have developed a patch for the Xplora 4, which is not available for sale in the US, to address the issue and will push it out prior to 8:00 a.m. CET on October 9. We conducted an extensive audit since we were notified and have found no evidence of the security flaw being used outside of the Mnemonic testing.”
Even though it may not be that easy to access the camera, calls, and location, I’d probably still think twice before buying that smartwatch. Ironically, it looks like the gadget that’s made to increase children’s safety isn’t always that safe.
[via Ars Technica]