Flaws in Smartwatches on Amazon.com May Let Strangers Track Kids

The smartwatches have a default password of "123456," which isn’t even mentioned in one smartwatch’s manual.

Advertisement
By Andrew Martin, Bloomberg | Updated: 12 December 2019 10:42 IST
Highlights
  • Security researchers discovered vulnerabilities in cheap smartwatches
  • The devices offer location tracking, messaging, and chat features
  • The watches have a default password of "123456"

The watches let authorised users change configuration details by texting the watch directly

Security researchers discovered vulnerabilities in cheap smartwatches for children that make it possible for strangers to override parental controls and track kids. Rapid7, a cyber-security firm based in Boston, purchased three smartwatches on Amazon.com, costing from $20 to $35 (roughly Rs. 1,400 to Rs. 2,500), according to Deral Heiland, research lead for IoT technology. He said the models - GreaSmart Children's SmartWatch, Jsbaby Game Smart Watch, and SmarTurtle Smart Watch for Kids - were picked randomly from dozens for sale on Amazon and marketed as appropriate for grade school-aged kids.

All three devices offer location tracking, messaging, and chat features. They were manufactured in China and shared nearly identical hardware and software. They also had similar security issues, Rapid7 found.

Advertisement

The watches let authorised users view and change configuration details by texting the watch directly with certain commands. In practice, this didn't work and "unlisted numbers could also interact with the watch," Rapid7 said in a report.

This security issue could be fixed with a vendor-supplied firmware update, but "such an update is unlikely to materialise given that the providers of these devices are difficult to impossible to locate," the cyber-security firm added.

Advertisement

The watches have a default password of "123456," but one of the watch's manuals doesn't mention the password, according to the researchers. Another mentioned the password in a blog but not in its printed material. The third doesn't characterise the numbers as a password nor does it provide instructions on how to change it, according to the researchers.

"Given an unchanged default password and a lack of SMS filtering, it is possible for an attacker with knowledge of the smartwatch phone number to assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent)," Rapid7 said in its report.

Advertisement

An unauthorised user could shut off all the safety protocols a parent had set up on the smartwatch, Heiland said.

Rapid7 said its researchers weren't able to contact the sellers nor what they believe is the manufacturer of the watches, a Chinese company called 3g Electronics Co. The company didn't respond to a message from Bloomberg News seeking comment.

Advertisement

The GreaSmart Children's SmartWatch is no longer for sale on Amazon, according to Rapid7. GreaSmart, Jsbaby, SmarTurtle didn't respond to a requests for comment. Oltec, a merchant that sells the SmarTurtle watch on Amazon, didn't respond to a message sent via Amazon's site.

"Consumers that are concerned with the safety, privacy, and security of their IoT devices and the associated cloud services are advised to avoid using any technology that is not provided by a clearly identifiable vendor, for what we hope are obvious reasons," Rapid7 warned in its report.

© 2019 Bloomberg LP

 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: Rapid7, Amazon
Advertisement

Related Stories

Popular Mobile Brands
  1. Airtel Unlimited 5G Data Subscribers Reportedly Cannot Share 5G Data via Mobile Hotspot
  2. How to Watch the FIFA World Cup 2026 Final Live Stream in India
  3. Pixel 11a Codename Appears in Google's Phone App: Report
  1. Redmi Note 17 Pro Global Variant Reportedly Appears on NBD Database Alongside Poco Model
  2. Google Pixel 11a Codename Reportedly Spotted in Phone App
  3. Huawei Mate XT 2 Leaked Patent Reveals New Tri-Fold Design and Folding Mechanism
  4. Airtel Unlimited 5G Data Subscribers Reportedly Cannot Share 5G Data via Mobile Hotspot: Here's What We Know So Far
  5. Lenovo Legion C700 Teased as a Cloud Gaming Handheld Ahead of August Launch
  6. Marvel's Wolverine Gets New Trailer That Will Play Ahead of Christopher Nolan's The Odyssey in Select Theatres
  7. Airtel Quietly Removes Rs. 549 Individual Postpaid Plan in India; Rs. 699 Plan Becomes Next Upgrade
  8. Poco M8 Power, Poco X8 India Launch Timeline Tipped; Could Arrive as Rebranded Redmi Note 17 Series
  9. Samsung Galaxy S25 Series Could Get Galaxy S26’s Horizontal Lock Camera Feature With One UI 9 Update
  10. Asus Pad India Launch Date Announced as Company Reveals Key Specifications
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.