Smartwatches for kids have gained popularity in the last few years, both to encourage physical activity to fight a burgeoning obesity epidemic, and to help parents better track their children when they’re out of sight. But a recent discovery by a team of Norwegian security researchers should give parents definite pause before purchasing pricey electronic equipment for their kids.
Harrison Sand and Erlend Leiknes, the two security sleuths, discovered an undocumented backdoor in a European smartwatch marketed for children. They claim to have found malicious code—originating from a sanctioned technology company in China—that allows someone to remotely capture camera snapshots, wiretap voice calls, and track locations.
[Know your privacy risks. Sign up for the ExpressVPN Blog Newsletter.]
The offending smartwatch, made by Chinese company Qihoo 360 and rebranded by the Norwegian firm Xplora, has been extensively marketed in Europe. The watches come preloaded with 19 apps developed by Qihoo 360.
The device typically retails for about 200 USD and is powered by Android. It’s able to make and receive voice calls and send emergency messages when under distress. Parents can also remotely monitor the location of their children through an app on their phones. Xplora claims it has sold over 350,000 watches so far across its markets in Europe and the U.S.
The security researchers, who are affiliated with Norwegian company Mnemonic Labs, say that the backdoor can only be activated with a secret encryption key so it’s not as vulnerable as it may seem. However, their findings show that there are several parties with access to the backdoor, including both Xplora and Qihoo 360.
Xplora was notified about the offending backdoor and has released a patch to fix the problem since. In a statement, it said it conducted an extensive audit since the notification and “found no evidence of the security flaw being used outside of the Mnemonic testing.”
There’s an impressive technical takedown of the product, documented in detail by Sand and Leiknes. In one instance, they were able to command the remote functionality to upload a picture of their office to Xplora servers.
The researchers note that the backdoor is not a vulnerability, misconfiguration, or an oversight. Its deep technical sophistication means there is a certain intent to the algorithm.
Privacy risks in smart toys
Xplora’s backdoor represents a significant security risk, but it’s far from the first privacy violation in products aimed at children.
In 2018, child toy manufacturer Vtech Electronics agreed to pay a fine of 650,000 USD to settle charges by the Federal Trade Commission which alleged Vtech had “violated a U.S. children’s privacy law by collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected.”
In 2017, the FBI posted a public warning urging consumers to be mindful of the security risks of internet-connected toys, saying that hackers could exploit vulnerabilities to “snoop on your child’s name, school, location, likes, and dislikes.”
Without naming any specific products, the FBI said the array of sensors, cameras, microphones, data storage components, voice recognition algorithms, and GPS monitors could be compromised to reveal personally identifiable information and lead to child identity fraud.
There are numerous other examples of hacked toys, too. Germany had to ban Cayla, an internet-connected doll, over fears that hackers could target children. CloudPets, a popular internet-connected teddy bear, also suffered from a massive data breach that exposed the voice recordings of thousands of users. Fitness apps aren’t only recording your steps, but potentially your geographic location, heart rate, sleep patterns, and calories consumed, too.
How can you keep your kids safe?
For parents worried about the potential exposure of their children, here are a few best practices to follow:
- Use a secure Wi-Fi password: Make sure that your home internet password is alphanumeric and hard to guess. Hackers thrive on weak passwords, so don’t hand them the advantage. And refrain from connecting the toy to public Wi-Fi networks.
- Switch off when not in use: Don’t keep the toy on at all times. Whenever your child is done playing with their toy or smartwatch, make sure to switch it off.
- Use minimal information: When registering or signing up for an account, be sure to put in as little information as possible. Don’t include the names of your children, and use a burner email account if you can.
- Educate your children: Your children will be as vigilant as they are taught to be. Privacy training should start at an early age, with children reminded of the fact that they should not be giving away personal information online, and should refrain from chatting to strangers on the web, much like they would do in real life.
- Report erratic behavior: If you feel that something is amiss with your device, then flag the matter to the relevant authorities in your home country or state. Don’t take a lenient view when it comes to your privacy.
Also read: This year’s ExpressVPN scholarship winner’s essay on children’s right to privacy