Researchers from Doctor Web discovered significant vulnerabilities in several models of smartwatches for children popular in Russia.
In particular, they found weak passwords, suspicious behavior, and unencrypted data transmissions.
Vulnerabilities in all models
More and more connected objects are intended for children, such as watches. They allow their parents to communicate with them, locate them and monitor their activities. But, as discovered by researchers at Doctor Web, several models of connected watches have significant vulnerabilities that threaten the privacy of their young users and can make their data more public than expected.
Four connected watch models were studied: ELARI KidPhone 4G, Wokka Lokka Q50, ELARI FixiTime Lite and Smart Baby Watch Q19. These models were chosen according to their popularity in Russia and their price diversity. The researchers’ conclusions are clear: all these watches have more or less significant vulnerabilities.
The watch with the most problems is the ELARI KidPhone 4G. The researchers discovered three hidden modules within it that transmit data and receive commands from a remote server. They send the user’s phone number, SIM card information, geolocation data, and device information. In return, they may receive commands to download or uninstall applications and load web pages. The researchers point to the possibility that these add-ons could be used to download malicious applications or load advertisements.
Insecure data transmissions and passwords
The Wokka Lokka Q50 Smartwatch does not have any suspicious activity. However, it suffers from several security breaches. The data transmitted between the watch and the server is not encrypted, and its basic password, “123456”, is very weak. In addition, it is not clearly indicated to users that it is possible to change it. Because of these failures, attacks of the man-in-the-middle are easily achievable and would allow attackers to gain information about the user or take control of the watch.
The ELARI FixiTime Lite Smartwatch suffers from the same problem of data transmitted in an insecure manner. For example, images and voicemail messages are sent over HTTP and could be easily intercepted. As for the last one, the Smart Baby Watch Q19, if it encrypts its transmissions, it has the same weak password as the Wokka Lokka to send commands. However, the latter are limited, and the latter model remains the one that presents the least risk.
The researchers note that if their research focused on particular watch models, it is very likely that others would share the same software and firmwares than the watches studied, and therefore the same vulnerabilities. They, therefore, call on parents to be careful when purchasing connected objects for their children. Companies affected by these vulnerabilities have been notified of them.
Source: Doctor Web