FTC urged to investigate easy-to-hack smartwatches for kids

A new report revealed significant security and privacy flaws in smartwatches for kids, prompting U.S. watchdog groups to ask the FTC to investigate.

FTC urged to investigate easy-to-hack smartwatches for kids
Thinkstock

Smartwatches for kids are marketed as a way for parents to remotely keep tabs on kids, but a new report claims the smartwatches have serious privacy and security flaws that could allow a stranger to “easily seize control of the watches and use them to track and eavesdrop on children.”

The Norwegian Consumer Council (NCC) and the security firm Mnemonic tested smartwatches for kids and determined, “In a few simple steps, a stranger can take control of the watch and track, eavesdrop on and communicate with the child.”

Mnemonic discovered “significant security flaws in three of the four devices tested, which may lead to information about GPS watch users’ location and activities ending up in the wrong hands. The flaws are not technically difficult to exploit, and in two cases, allow a third party to covertly take control over the watch.”

The five vulnerabilities identified include unauthorized access, remote audio surveillance, location spoofing, the emergency functionality “SOS” is compromised and data is insecurely stored.

“It’s very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly,” said Finn Myrstad, director of digital policy at the Norwegian Consumer Council. “Importers and retailers must know what they stock and sell. These watches have no place on a shop’s shelf, let alone on a child’s wrist.”

Smartwatches tested

The models of smartwatches for kids that were tested include the Gator 2 watch that is also called Caref, TickTalk/Xplora watches using the SETracker series of apps, and Tinitell. Only the latter, which has fewer features than its competitors, did not have the major security flaws, but its privacy protections were unclear.

These watches include location tracking, microphones and cameras for remote monitoring of children by parents. But the watches could be used to spy on parents. For example, the NCC report (pdf) pointed out the “monitoring” function of the Viksfjord device” — a watch that uses the SeTracker app is “problematic. Even if one agrees that it should be permissible to listen in on children without their knowledge, the function enables you to monitor anyone in the vicinity of the child. That means the Viksfjord can potentially be used to spy on the conversations of unwitting people.”

NCC’s report added, “The vast variety of products being imported and sold under different names also make it exceedingly difficult to understand who is responsible for any problems with the devices or apps.”

Some of those smartwatches for kids are being sold in the U.S. Seven consumer watchdog groups, including EPIC and The Center for Digital Democracy, sent a letter to the FTC (pdf), asking the commission to look into the risks to children’s safety associated with the devices and to determine if they violate laws such as the Children’s Online Privacy Protection Rule (COPPA). This is the same advocacy coalition that called on the FTC to take action against “toys that spy,” such as My Friend Cayla and i-Que-Robots.

This time, the group explained to the FTC:

Two of the devices allow a potential attacker to take control of the apps, “thus gaining access to children’s real-time and historical location and personal details, as well as even enabling them to contact the children directly, all without the parents’ knowledge.” Key features, “such as an SOS button that alerts the parents if the child is in distress and a geofencing function that sends an alert whenever the child enters or leaves a designated area,” are not reliable.

The data privacy practices of the firms also place children at risk. One company allows children’s personal data to be used for marketing purposes. Another transmits unencrypted children’s location data. Only one of the companies asks for consent prior to data collection, and “none of them promise to notify users of any changes to their terms, and there is no way to delete user accounts from any of the services.”

“By preying upon parents' desire to keep children safe, ... these smartwatches are actually putting kids in danger,” said Josh Golin, executive director of the Campaign for a Commercial-Free Childhood. “Once again, we see Internet of Things products for kids being rushed to market with no regard for how they will protect children’s sensitive information. Parents should avoid these watches and all internet-connected devices designed for kids.”

Golin told CBS, “I think we’re used to seeing cheap products for children. If it breaks after six months, that’s one problem. But if we’re talking about a watch that a stranger can easily hack and track where your child's location is, that’s much more serious.”

SUBSCRIBE! Get the best of CSO delivered to your email inbox.