Child-Tracking Watches Are 'Easy to Hack'

Uploaded on 2018-11-20 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

A location-tracking smartwatch worn by thousands of children has proven relatively easy to hack. A security researcher found the devices neither encrypted the data they used nor secured each child's account.
 
As a result, he said, he could track children's movements, surreptitiously listen in to their activities and make spoof calls to the watches that appeared to be from parents.
 
Experts say the issues are so severe that the product should be discarded. Both the BBC and the researcher involved tried to contact the makers of the MiSafes Kid's Watcher Plus to alert them to the problem but received no reply. Likewise, a China-based company listed as the product's supplier did not respond to requests.
 
'Simple Hack'
The MiSafes watch was first released in 2015. It uses a global positioning system (GPS) sensor and a 2G mobile data connection to let parents see where their child is, via a smartphone app. In addition, parents can create a "safe zone" and receive an alert if the child leaves the area.
 
The adult can also listen in to what their offspring is doing at any time and trigger two-way calls. Pen Test Partner's Ken Munro and Alan Monie learned of the product's existence when a friend bought one for his son earlier this year. Out of curiosity, they probed its security measures and found that easy-to-find PC software could be used to mimic the app's communications.
 
This software could be used to change the assigned ID number, which was all it took to get access to others' accounts, making it possible to see personal information used to register the product, including:
  • a photo of the child
  • their name, gender and date of birth
  • their height and weight
  •  the parents' phone numbers
  • the phone number assigned to the watch's Sim card
"It's probably the simplest hack we have ever seen," he told the BBC. "I wish it was more complicated. It isn't."
 
Rather than compromise other people's watches, the researchers bought several more units to test. With these, they found it was possible to:
  • trigger the remote listening facility of someone else's watch, with the only warning being that a brief "busy" message appeared before its screen returned to blank
  • track the wearer's current and past locations
  • alter the safe zone facility so that alerts were triggered by a child's approach rather than their departure
Pen Test Partners also learned it was possible to bypass a feature supposed to limit the watch to accepting calls from only authorised parties. The researchers did this by using an online "prank call" service that fools receiving devices into showing another person's caller ID number.
 
"Once a hacker has the parent's number, they could spoof a call to appear to come from it and the child would now think it's their mum or dad dialing," said Mr Munro.
 
"So they could leave a voice message or speak to the child to convince them to leave their house and go to a convenient location."
 
Using a different tool, Mr Munro said his team were able to see that about 14,000 MiSafes were still in active use
 
Sales Ban
The Norwegian Consumer Council highlighted other cases of child-targeted smartwatches with security flaws last year. It said the MiSafes products appeared to be "even more problematic" than the examples it had flagged.
 
"This is another example of unsecure products that should never have reached the market," said Gro Mette Moen, the watchdog's acting director of digital services.
 
"Our advice is to refrain from buying these smartwatches until the sellers can prove that their features and security standards are satisfactory."
 
In the UK, Amazon used to sell the watches but has not had stock for some time. The BBC found three listings for the watches on eBay but the online marketplace said it had since removed them on the grounds of an existing ban on equipment that could be used to spy on people's activities without their knowledge.
 
MiSafes previously made headlines in February when an Austrian cyber-security company discovered several flaws with its Mi-Cam baby monitors. SEC Consult said these meant hackers could spy on footage from owners' homes and hijack accounts.
 
BBC
 
You Mighht Also Read:
 
Give Children More Control Of Data Privacy:
 
 
« Millennials Are A Threat To Cybersecurity
US & Singapore Agree Cybersecurity Pact »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Packet Ninjas

Packet Ninjas

Packet Ninjas is a niche cyber security agency with specialized expertise in the use of digital intelligence to strengthen cyber security.

NXO France

NXO France

NXO is an independent leader in the integration and management of digital workflows with services covering digital infrastructures, communications & collaboration, and security.

AllegisCyber Capital

AllegisCyber Capital

AllegisCyber is an investment company with a focus on seed and early stage investing in cybersecurity and its applications in emerging technology markets.

Cyber Threat Defense (CT Defense)

Cyber Threat Defense (CT Defense)

CT Defense specialize in penetration testing and security assessments.

BAI Security

BAI Security

BAI Security is a Nationally Recognized Leader in IT Security. Keeping your data safe and your business compliant is our singular focus.

Securd

Securd

Securd takes opportunities away from your cyber adversaries. Cloud-delivered zero-trust DNS firewall and web filtering protection keep your business network and remote employees safe.

Siege Technologies

Siege Technologies

Siege Technologies is a pioneer of multi-purpose cybersecurity products and services that enable customers to leverage both offensive and defensive technologies.

Auvik Networks

Auvik Networks

Auvik is easy-to-use cloud-based networking management and monitoring software - true network visibility and control without the hassle.

Moro Hub

Moro Hub

Moro Hub, a subsidiary of Digital DEWA, is a UAE-based digital data hub focused on digital transformation and operational services.

Concorde Technology Group

Concorde Technology Group

Concorde Technology Group is one of the UK’s leading IT support and services providers, delivering cost-effective and innovative IT solutions to businesses across the country.

NPCERT

NPCERT

NPCERT is a team of Information Security experts formed to address the urgent need for the protection of national information and growing cybersecurity threat in Nepal.

Applied Connective Technologies

Applied Connective Technologies

Applied Connective is one team for all your technology needs, from IT to phones, cyber security to physical security, audio/video and the infrastructure to support it.

Cyber Defense International (CDI)

Cyber Defense International (CDI)

At CDI, we utilize decades of experience in designing and building large-scale cybersecurity programs, creating tailored solutions and services that protect businesses from cyber threats.

Apex iQ (ApexiQ)

Apex iQ (ApexiQ)

ApexiQ is a continuous asset assurance platform that empowers you with the confidence to make better data-driven decisions and take automated action to reduce your risk.

Ransomware Help

Ransomware Help

Ransomware Help is a trusted ransomware recovery company offering fast and effective ransomware recovery services to get your business back on track.

Tototheo Global

Tototheo Global

Tototheo Global harness the power of connectivity and technology to bridge technological divides, driving progress, security, and sustainability for a seamlessly connected world.