Kids' Smartwatches Are a Security Nightmare Despite Years of Warnings

Five out of six brands tested by researchers would have allowed hackers to track kids—and in some cases eavesdrop on them.
girl checking watch
Security researchers have been sounding the alarm on kids' smartwatches for years. A new study shows that several models are still a mess.Photograph: Matt Perrin/Alamy

Connecting every possible device in our lives to the internet has always represented a security risk. But that risk is far more pronounced when it involves a smartwatch strapped to your child's wrist. Now, even after years of warnings about the security failings of many of those devices, one group of researchers has shown that several remain appallingly easy for hackers to abuse.

In a paper published late last month, researchers at the Münster University of Applied Sciences in Germany detailed their testing of the security of six brands of smartwatches marketed for kids. They're designed to send and receive voice and text messages, and let parents track their child's location from a smartphone app. The researchers found that hackers could abuse those features to track a target child's location using the watch's GPS in five out of the six brands of watch they tested. Several of the watches had even more severe vulnerabilities, allowing hackers to send voice and text messages to children that appear to come from their parents, to intercept communications between parents and children, and even to record audio from a child's surroundings and eavesdrop on them. The Münster researchers shared their findings with the smartwatch companies in April, but say that several of the bugs they disclosed have yet to be fixed.

The Münster study builds on years of similar findings. Several vulnerabilities in kids' smartwatches have been found in previous research including a study by the Norwegian consumer protection agency that found similarly alarming problems. The European Commission even issued a recall for one kid-focused smartwatch last year. Given those repeated exposés, the Münster researchers were surprised to find the products they tested still riddled with vulnerabilities.

"It was crazy," says Sebastian Schinzel, a Münster University computer scientist who worked on the study and presented it at the International Conference on Availability, Reliability, and Security in late August. "Everything was basically broken."

The Münster researchers focused on six smartwatches sold by JBC, Polywell, Starlian, Pingonaut, ANIO, and Xplora. But as they looked into the watches' design, they found that JBC, Polywell, ANIO, and Starlian all essentially use variations on a model from the same white label manufacturer, with both the watch hardware and backend server architecture provided by a Shenzhen-based Chinese firm called 3G.

Those four devices turned out to be the most vulnerable among those tested. The researchers found, in fact, that smartwatches using 3G's system had no encryption or authentication in their communications with the server that relays information to and from the parents' smartphone app. Just as with smartphones, every smartwatch comes with a unique device identifier known as an IMEI. If the researchers could determine the IMEI for a target child, or simply choose one at random, they could spoof the communications from the smartwatch to the server to tell it a false location for the child, for instance, or send an audio message to the server that appeared to come from the watch. Perhaps most disturbingly, they say they could similarly impersonate the server to send a command to the smartwatch that initiated audio recording of the watch's surroundings that's relayed back to the hacker.

Separately, the researchers say they found multiple instances of a common form of security flaw in the 3G's backend server, known as SQL injection vulnerabilities, in which the inputs to a SQL database can include malicious commands. Abusing those flaws could have given a hacker broad access to users' data—though for legal and ethical reasons the team didn't actually attempt that data theft. "We didn’t want to harm people, but we could have gotten all the user data and all the position data, voice messages from the parents to the children, and vice versa," says Münster University researcher Christoph Saatjohann.

The researchers found that one of the four watches that used 3G's technology, the ANIO4 Touch, had built its own smartphone app to communicate with their smartwatch via their own backend server. But ANIO's code also had severe authentication flaws, they say. After a hacker connects to the ANIO server using legitimate login credentials, they could tweak their identity to send commands as any other user. Separately from 3G's vulnerabilities, that would allow a hacker to intercept locations and intercept or spoof text messages and audio messages.

The Münster researchers say yet another smartwatch, the Pingonaut Panda2, similarly lacked TLS encryption in its communications with a server, despite claiming that it used that encryption in a description of the smartwatch's security on its website. That allowed the researchers to intercept text messages sent to the smartwatch and spoof its location within a certain range. But to pull off the more serious attacks that were possible on the other watches, the researchers had to deploy a "man-in-the-middle" technique that used a software-defined radio to intercept the smartwatch's GSM cellular communications and respond with its own messages. Using that set-up, they found they could monitor the watch's location and spoof text messages to the watch, just as with the other watches.

Only a smartwatch sold by the firm Xplora fared relatively well in the study. Because the device had TLS encryption, researchers only managed to replay intercepted audio messages to the phone, and only by using a radio-based man-in-the-middle attack. That comparatively strong security may have resulted from Xplora fixing its vulnerabilities after being called out by the Norwegian government study of childrens' smartwatches in 2017.

When WIRED reached out to the companies involved in the study for comment, only 3G immediately responded, saying that it had patched the security issues the researchers had brought to its attention and added encryption to the communications between their watches and servers. "The author did contact us and we solved all the vulnerabilities," a 3G spokesperson wrote in a statement to WIRED. The researchers confirm that the flaws they found do seem to be fixed in JBC and Polywell's watches, though they didn't attempt to circumvent any of the new security measures. But in the Starlian watch, they say they were still able to spoof a watch's location and messages.

ANIO told the researchers that it had fixed the backend authentication vulnerabilities and that it has added encryption in current and future smartwatch models. The Münster researchers found that they were indeed no longer able to monitor a target watch's location or intercept messages to the phone, but they could still spoof the watch's location. As for Pingonaut, when the researchers told the company about its watches' vulnerabilities, it responded that it won't fix the problem in the Panda2 watch model they tested, but that they use TLS encryption to protect communications in more recent models.

Beyond the sheer number of problems the researchers found, Münster's Schinzel says he was shocked to see that these sorts of vulnerabilities persisted after so much previous research and public warnings. "It didn’t seem to change a lot," Schinzel says. "It's 2020. How can you sell something that speaks over mobile networks, is unencrypted and has no authentication or anything? After three years, there's been plenty of time to have done a very basic security analysis against their own stuff. And they didn’t do it."

The researchers concede that not every smartwatch necessarily has security flaws as egregious as those they found. They only texted six smartwatch models, after all. It's also possible the repeated studies of children's smartwatches over several years may have managed to root out some of the devices' worst vulnerabilities. But based on how easily they managed to hack the watches they did test, they say they have little doubt that there are more security flaws across similar devices that they didn't examine.

When WIRED asked Schinzel if three years of security analyses gave him the confidence to put these smartwatches on his own children, he answered without hesitation: "Definitely not."


More Great WIRED Stories