Child-Tracking Watches Are 'Easy to Hack'

A location-tracking smartwatch worn by thousands of children has proven relatively easy to hack. A security researcher found the devices neither encrypted the data they used nor secured each child's account.
 
As a result, he said, he could track children's movements, surreptitiously listen in to their activities and make spoof calls to the watches that appeared to be from parents.
 
Experts say the issues are so severe that the product should be discarded. Both the BBC and the researcher involved tried to contact the makers of the MiSafes Kid's Watcher Plus to alert them to the problem but received no reply. Likewise, a China-based company listed as the product's supplier did not respond to requests.
 
'Simple Hack'
The MiSafes watch was first released in 2015. It uses a global positioning system (GPS) sensor and a 2G mobile data connection to let parents see where their child is, via a smartphone app. In addition, parents can create a "safe zone" and receive an alert if the child leaves the area.
 
The adult can also listen in to what their offspring is doing at any time and trigger two-way calls. Pen Test Partner's Ken Munro and Alan Monie learned of the product's existence when a friend bought one for his son earlier this year. Out of curiosity, they probed its security measures and found that easy-to-find PC software could be used to mimic the app's communications.
 
This software could be used to change the assigned ID number, which was all it took to get access to others' accounts, making it possible to see personal information used to register the product, including:
  • a photo of the child
  • their name, gender and date of birth
  • their height and weight
  •  the parents' phone numbers
  • the phone number assigned to the watch's Sim card
"It's probably the simplest hack we have ever seen," he told the BBC. "I wish it was more complicated. It isn't."
 
Rather than compromise other people's watches, the researchers bought several more units to test. With these, they found it was possible to:
  • trigger the remote listening facility of someone else's watch, with the only warning being that a brief "busy" message appeared before its screen returned to blank
  • track the wearer's current and past locations
  • alter the safe zone facility so that alerts were triggered by a child's approach rather than their departure
Pen Test Partners also learned it was possible to bypass a feature supposed to limit the watch to accepting calls from only authorised parties. The researchers did this by using an online "prank call" service that fools receiving devices into showing another person's caller ID number.
 
"Once a hacker has the parent's number, they could spoof a call to appear to come from it and the child would now think it's their mum or dad dialing," said Mr Munro.
 
"So they could leave a voice message or speak to the child to convince them to leave their house and go to a convenient location."
 
Using a different tool, Mr Munro said his team were able to see that about 14,000 MiSafes were still in active use
 
Sales Ban
The Norwegian Consumer Council highlighted other cases of child-targeted smartwatches with security flaws last year. It said the MiSafes products appeared to be "even more problematic" than the examples it had flagged.
 
"This is another example of unsecure products that should never have reached the market," said Gro Mette Moen, the watchdog's acting director of digital services.
 
"Our advice is to refrain from buying these smartwatches until the sellers can prove that their features and security standards are satisfactory."
 
In the UK, Amazon used to sell the watches but has not had stock for some time. The BBC found three listings for the watches on eBay but the online marketplace said it had since removed them on the grounds of an existing ban on equipment that could be used to spy on people's activities without their knowledge.
 
MiSafes previously made headlines in February when an Austrian cyber-security company discovered several flaws with its Mi-Cam baby monitors. SEC Consult said these meant hackers could spy on footage from owners' homes and hijack accounts.
 
BBC
 
You Mighht Also Read:
 
Give Children More Control Of Data Privacy:
 
 
« Millennials Are A Threat To Cybersecurity
US & Singapore Agree Cybersecurity Pact »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

GreyCampus

GreyCampus

GreyCampus is a leading provider of training for working professionals in the areas of Project Management, Big Data, Data Science, Service Management, Quality Management and Information Security.

Volexity

Volexity

Volexity is a leading provider of threat intelligence and incident suppression services and solutions.

State e-Government Agency (SEGA) - Bulgaria

State e-Government Agency (SEGA) - Bulgaria

The State e-Government Agency (SEGA) is responsible for matters relating to electronic governance in Bulgaria.

Tata Consultancy Services (TCS)

Tata Consultancy Services (TCS)

Tata Consultancy Services is a global leader in IT services, consulting & business solutions including cyber security.

Infopulse

Infopulse

Infopulse is a global provider of Software Engineering, Cloud & IT Infrastructure Management, and Cybersecurity services.

AXELOS

AXELOS

AXELOS develops best practice frameworks and methodologies used globally by professionals working primarily in IT management and cyber resilience.

Traced

Traced

At Traced, our aim is to redefine mobile cyber security to provide the best possible protection to everyone against breaches of privacy and security.

Kontex

Kontex

Kontex is a Cyber Security consultancy creating resilient solutions. From Strategy, Advisory and Implementation to Management and everything in between.

Capital Network Solutions

Capital Network Solutions

Capital Network Solutions are a highly accredited managed IT services and consultancy provider, specialising in cyber security, infrastructure and communications.

Mindaro Insurance

Mindaro Insurance

Mindaro is adding the crucial piece of the cyber security puzzle that protects your organization from the financial ramifications of cyber attacks.

Alpha Omega Integration

Alpha Omega Integration

Alpha Omega creates new possibilities through intelligent end-to-end mission-focused government IT solutions.

Radiance Technologies

Radiance Technologies

Radiance solutions provide technological advantage and operational superiority for our nation in the areas of intelligence, cyber and advanced weapon systems.

Togggle

Togggle

Togggle offers seamless identity verification solutions and distributed infrastructure, enabling organizations to combat fraud and ensure compliance with data protection regulations.

GitLab

GitLab

GitLab is a complete DevOps platform, delivered as a single application, fundamentally changing the way Development, Security, and Ops teams collaborate and build software.

runZero

runZero

runZero delivers the most complete security visibility possible, providing you the ultimate foundation for successfully managing exposures and compliance.

Replica

Replica

Replica creates authentic virtual environments that ensure identities and assets are always protected no matter where or what work needs to get done.