#WatchOut: Significant security flaws in smartwatches for children

As a part of our work on the Internet of things, the Norwegian Consumer Council (NCC) has analyzed consumer rights in four smartwatches for children. These devices were all bought in Norwegian stores, and are called Gator 2, Tinitell, Viksfjord, and Xplora. These smartwatches for children are wearable mobile phones that allow parents to use an app on their smartphones to keep in touch with and track the location of their children. Since the main purpose of these devices is to give parents peace of mind while their children play freely outside, we see it as crucial that they maintain adequate security and privacy standards.

The project consists of two parts: an analysis of the features of the apps/devices and the accompanying user terms, presented in the WatchOut report, and a technical report commissioned by the NCC and produced by the IT security company Mnemonic.download (1)

Devices that use the Internet to allow real-time location tracking of, and direct communication with, young children, and which store names, photos and continuous and historic geolocation data, should have strong safeguards in place. This entails not only a high level of security to avoid unwanted access, but also a robust framework to ensure that data protection laws and the privacy rights of children are respected and upheld. Three out of the four watches that were analyzed fall short in both respects.

Critical Security Flaws

The tests done by Mnemonic have uncovered critical security flaws in three of the apps and devices. As detailed in Mnemonic´s report, two of the devices have flaws which could allow a potential attacker to take control of the apps, thus gaining access to children’s real-time and historical location and personal details, as well as even enabling them to contact the children directly, all without the parents’ knowledge.

Additionally, several of the devices transmit personal data to servers located in North America and East Asia, in some cases without any encryption in place. One of the watches also functions as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that this is taking place.

A False Sense of Security

We have also found that the advertised safety-enhancing features, such as an SOS button that alerts the parents if the child is in distress, and a geofencing function that sends an alert whenever the child enters or leaves a designated area, were unreliable. In practice, this means that the device might in fact provide a false sense of security. This is especially disconcerting since the smartwatches are meant to provide peace of mind for the parents who purchase the devices.

Lack of Respect for Consumer Rights

Inadequate and unclear user terms deny consumers their basic consumer and privacy rights when engaging with these products. Only one of the services actually asks for consent to data collection, none of them promise to notify users of any changes to their terms, and there is no way to delete user accounts from any of the services. At least one of the companion (Xplora) apps also allows children’s personal data to be used for marketing purposes, while the other three are unclear about how this information may or may not be used. Additionally, one of the services (Gator) transmits unencrypted children’s location data to China. Together, these issues constitute several breaches of European data protection and consumer protection laws. WatchOut

Chaotic Market

Additionally, the abundance of smartwatches for children available internationally, with cheap Chinese products being imported and rebranded by a vast number of local retailers, makes it difficult to obtain a clear picture of who is responsible for the various products. For example, several different smartwatches for children use the same app as the Viksfjord watch, the SeTracker app. Some of these devices are seemingly identical to Viksfjord, but are sold under different names on a worldwide basis. As far as we can tell, all the watches using the SeTracker app have the same security and privacy vulnerabilities as the Viksfjord.

Overall, we have uncovered many serious problems with smartwatches for children. It seems clear that consumers currently should think twice before purchasing these or similar devices.

The findings also serve to illustrate the emerging problems facing consumers in the world of connected devices, and the need to make sure that product safety regulations also apply to products with digital components.

This article was first published on the NCC website. Click here to view the full report.