The smartwatches have a default password of "123456," which isn’t even mentioned in one smartwatch’s manual.
The watches let authorised users change configuration details by texting the watch directly
Security researchers discovered vulnerabilities in cheap smartwatches for children that make it possible for strangers to override parental controls and track kids. Rapid7, a cyber-security firm based in Boston, purchased three smartwatches on Amazon.com, costing from $20 to $35 (roughly Rs. 1,400 to Rs. 2,500), according to Deral Heiland, research lead for IoT technology. He said the models - GreaSmart Children's SmartWatch, Jsbaby Game Smart Watch, and SmarTurtle Smart Watch for Kids - were picked randomly from dozens for sale on Amazon and marketed as appropriate for grade school-aged kids.
All three devices offer location tracking, messaging, and chat features. They were manufactured in China and shared nearly identical hardware and software. They also had similar security issues, Rapid7 found.
The watches let authorised users view and change configuration details by texting the watch directly with certain commands. In practice, this didn't work and "unlisted numbers could also interact with the watch," Rapid7 said in a report.
This security issue could be fixed with a vendor-supplied firmware update, but "such an update is unlikely to materialise given that the providers of these devices are difficult to impossible to locate," the cyber-security firm added.
The watches have a default password of "123456," but one of the watch's manuals doesn't mention the password, according to the researchers. Another mentioned the password in a blog but not in its printed material. The third doesn't characterise the numbers as a password nor does it provide instructions on how to change it, according to the researchers.
"Given an unchanged default password and a lack of SMS filtering, it is possible for an attacker with knowledge of the smartwatch phone number to assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent)," Rapid7 said in its report.
An unauthorised user could shut off all the safety protocols a parent had set up on the smartwatch, Heiland said.
Rapid7 said its researchers weren't able to contact the sellers nor what they believe is the manufacturer of the watches, a Chinese company called 3g Electronics Co. The company didn't respond to a message from Bloomberg News seeking comment.
The GreaSmart Children's SmartWatch is no longer for sale on Amazon, according to Rapid7. GreaSmart, Jsbaby, SmarTurtle didn't respond to a requests for comment. Oltec, a merchant that sells the SmarTurtle watch on Amazon, didn't respond to a message sent via Amazon's site.
"Consumers that are concerned with the safety, privacy, and security of their IoT devices and the associated cloud services are advised to avoid using any technology that is not provided by a clearly identifiable vendor, for what we hope are obvious reasons," Rapid7 warned in its report.
© 2019 Bloomberg LP
Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.