PSA for parents: Do not allow your kids to wear one of these smartwatches
With the holiday shopping season coming to an end, parents need to make sure that they didn't purchase certain low priced children's smartwatches offered for sale by Amazon. So if you are a parent, consider this to be a public service announcement (PSA). Security firm Rapid7 discovered vulnerabilities on three timepieces for children that offer GPS tracking and voice chat. These models, Children's SmartWatch, G36 Children's Smartwatch, and SmarTurtles Kids Smartwatch all use the same hardware and software so any vulnerabilities found on one affect all three watches.
These are not expensive devices as they top out at around $30. One of the watches is no longer available and the other is only offered refurbished. But the G36 Children's Smartwatch can be purchased new through the online retailer. One of the problems is that the SMS filter, used by parents to whitelist certain phone numbers, doesn't seem to work. According to Rapid7, numbers not included on the whitelist can also connect to these watches. In addition, the watches use an SMS interface that can change the configuration of the timepiece via a text message. This could allow a stranger to control a child's watch and even pair it with his own device.
These cheap smartwatches from Amazon could allow a stranger to control your child's device
The report notes that even if the SMS filter was working correctly, a bad actor could spoof a number and make a call anyway. "So, armed with the knowledge of a watch's assigned phone number and the configuration password, unauthenticated attackers can read and write configuration details, up to and including pairing the watch with the attacker's own smartphone." Scary, huh? And consider that the default password for the watch is '123456,' and while this can be changed, one of the watches doesn't mention the password at all in the user guide. Another watch does not include password information on the printed material that comes with the product but does include it on a blog. The third watch has a guide that mentions the numbers but doesn't make it clear that it is a password that can be changed. We figure that the default password can be discovered by a criminal pretty quickly.
The report notes that all three smartwatches employ SETracker or SETracker2 as the backend cloud service for both iOS and Android and are associated with a developer listed only as "wcr." According to AppBrain, "wcr" is associated with 3G Elec; the latter is a company based in Shenzhen, China. Rapid7 tried to get in touch with the company, but all email attempts failed.
Rapid7 sums up the issue: "Given an unchanged default password and a lack of SMS filtering, it is possible that an attacker with knowledge of the smartwatch phone number could assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent). Unfortunately, there does not appear to be any mechanism to address the SMS filtering issue without a vendor-supplied firmware update, and such an update is unlikely to materialize given that the providers of these devices are difficult to impossible to locate. With this in mind, current users of these devices who wish to continue to use the device are urged to investigate how to update the SMS control password. Unfortunately, this process can be different per device, and the documentation can be difficult to locate."
If you planned on giving away these watches for the holidays, we'd return them unopened immediately. If your kids already use one, considering the price, we wouldn't take any chances and would just dispose of it immediately after taking a hammer to the unit.