• Contact Us
  • Login
Upgrade
Tech News Hero
Advertisement
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
  • Home
  • News
  • Gadgets
  • Social
  • Gaming
  • Mobile
  • PC
  • Internet
  • Security
  • Apps
No Result
View All Result
Tech News Hero
No Result
View All Result
Home Security

Cheap kids smartwatch exposes the location of 5,000+ children

by technewshero
November 25, 2019
in Security
0
Share on FacebookShare on Twitter
SMA M2

Image via SMA website

A cheap $35 kids’ smartwatch made in China was caught exposing the personal details and location information for more than 5,000 children and their parents.

In a report published today by the Internet of Things testing division of AV-TEST, researchers said they found egregious security measures put in place to protect the backend and mobile app of the M2 smartwatch, made by Chinese company SMA.

“The Chinese SMA-WATCH-M2 tops the security failures of other manufacturers by far,” said Maik Morgenstern, CEO and the Technical Director of AV-TEST, whose team has been testing kids smartwatches for more than two years.

The M2 smartwatch and its security flaws

The SMA W2 kids smartwatch has been around for years. It was designed to work with a companion mobile app. Parents would register an account on the SMA service, pair their child’s smartwatch to their phone, and use the app to track the kid’s location, make voice calls, or get notifications when the child would leave a designated area.

The concept is not new, as there are plenty of similar products on the market, varying in prices from $30 to $200-$300. However, Morgenstern suggests that SMA created one of the most insecure products on the market.

For starters, Morgenstern says anyone can query the smartwatch’s backend via a publicly accessible web API. This is the same backend where the mobile app also connects to retrieve the data it shows on parents’ phones.

Morgenstern says there’s an authentication token in place that’s supposedly there to prevent unauthorized access, but attackers can supply any token they like, as the server never verifies its validity.

An attacker can connect to this web API, cycle through all user IDs, and collect data on all kids and their parents.

Morgenstern says that using this technique, his team was able to identify more than 5,000 M2 smartwatch wearers and more than 10,000 parent accounts.

Most of the kids were located throughout Europe, in countries such as the Netherlands, Poland, Turkey, Germany, Spain, and Belgium, but the AV-TEST CEO says they’ve also found active smartwatches in China, Hong Kong, and Mexico.

sma-watch-m2-map.jpg

Image: AV-TEST

The data exposed via this Web API included the child’s current geographical location, device type, and SIM card IMEI.

Furthermore, a second vulnerability allowed access to even more creepy functions. Morgenstern says that the mobile app installed on parents’ phones is also very insecure.

An attacker can install it on their own device, change a user ID in the app’s main configuration file, and have their smartphone paired with a child’s smartwatch without ever having to enter a parent account email address or password.

Once attackers have paired their smartphone to a child’s smartwatch, they can use the app’s features to track the kid via a map, or even place calls and start voice chats with children.

Even worse, the attacker can change the mobile account’s password and lock the parent out from the app while they give a child wrong instructions.

Watch still on sale

Morgenstern says they’ve contacted SMA with their findings. He did not say how SMA reacted, but only mentioned that the watch is still being sold via the company’s website and via other distributors [1, 2].

Morgenstern says that German distributor Pearl has taken the M2 of their shelves after their report.

SMA did not return a request for comment before this article’s publication.

The AV-TEST CEO also contacted the Federal Office for Information Security (BSI), the country’s cyber-security agency. In 2017, the BSI banned the sale of kids smartwatches in Germany if the watch came with a remote listening feature.

Earlier this year in February, the EU recalled two kids’ smartwatch models because of similar security flaws that allowed attackers to contact and/or track children’s locations.

Previous Post

More John Lewis Black Friday phone deals arrive on Google, Huawei, and more phones

Next Post

WhatsApp Web Reportedly Starts Receiving Grouped Stickers Feature

technewshero

technewshero

Related Posts

2020 Shows the Danger of a Decapitated Cyber Regime
Security

2020 Shows the Danger of a Decapitated Cyber Regime

by technewshero
January 13, 2021
A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting
Security

A ‘Bulletproof’ Criminal VPN Was Taken Down in a Global Sting

by technewshero
January 14, 2021
The Worst Hacks of 2020, a Surreal Pandemic Year
Security

The Worst Hacks of 2020, a Surreal Pandemic Year

by technewshero
January 15, 2021
Security

How Your Digital Trails Wind Up in the Police’s Hands

by technewshero
December 31, 2020
How to Understand the Russia Hack Fallout
Security

How to Understand the Russia Hack Fallout

by technewshero
December 22, 2020
Next Post

WhatsApp Web Reportedly Starts Receiving Grouped Stickers Feature

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Most Popular

Indian mobile gaming platform Mobile Premier League raises $90 million – TechNewHero

Indian mobile gaming platform Mobile Premier League raises $90 million – TechNewHero

December 14, 2020
Apple announces $549 over-ear headphones, the AirPods Max – TechNewHero

Apple announces $549 over-ear headphones, the AirPods Max – TechNewHero

December 12, 2020
Microsoft Teams Adds Custom Background Effects During Video Call, Other New Features

Microsoft Teams Adds Custom Background Effects During Video Call, Other New Features

December 15, 2020

Browse by Category

  • Apps
  • Gadgets
  • Gaming
  • Internet
  • Mobile
  • News
  • PC & Laptops
  • Security
  • Social
Tech News Hero

© 2020 Tech News Hero.

No Result
View All Result
  • Home
  • Landing Page
  • Buy JNews
  • Support Forum
  • Contact Us

© 2020 Tech News Hero.

Welcome Back!

Login to your account below

Forgotten Password?

Create New Account!

Fill the forms bellow to register

All fields are required. Log In

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Are you sure want to unlock this post?
Unlock left : 0
Are you sure want to cancel subscription?