A security researcher from Pen Test Partners found that the device’s data was unencrypted and unsecured in each child’s account.

This, the researcher said, could enable bad-actors to monitor children’s movements through the device’s location-tracking feature and also allow them to listen in to their daily activities.

‘Tracking and Snooping on a Million Kids’

In a blog post, Alan Monie explained that he stumbled upon the discovery after a friend had purchased the Misafes ‘Kids Watcher’ device.

The device was available to purchase on Amazon, eBay and a number of other online retailers and was priced at around £10.

Offering useful functionalities such as two-way calling and location tracking, it was hailed by the company as a valuable tool for parents to keep tabs on their children’s whereabouts.

Parents can also create a “safe zone” through some of the device features, this informs the parents via SMS alerts if the child leaves a designated zone.

Monie explained that he probed the security measures and found that readily available PC software could be used to replicate or mimic the app’s communications. This software could also be used to change designated ID numbers; which it transpires is all a hacker would need to access others’ accounts.

Using this software, Monie and researchers at Pen Test Labs found an individual could access personal details used to register the account, these included:

A photo of the child

Child’s height and weight

Parent’s phone numbers

Phone numbers assigned to the watch sim card, and

The child’s name, gender and date of birth.

The security firm also claims that it is possible to bypass call-restriction features which prohibit calls from unauthorised parties.

Monie said he did this by using an online “prank call” services, which fools devices into showing another person’s caller ID number.

“An attacker could get both the child’s and a parent’s phone number, and spoof a call to the watch,” he explained.

Monie added: “The child would think that is was their dad that was calling. Would a child do what they were asked if a call came in like this?”

Audio Snooping

Further testing showed that the app also allowed the watch to be turned into a do-it-yourself snooping device.

Monie explained: “It was possible to pass a valid device_id to the activate_monitor_mode in the API and that would cause the watch to automatically answer any call that was on the whitelist.

“As before, spoofing the caller ID would allow anyone to remotely listen in on a child. If the watch was left elsewhere in a household, it becomes a remote listening device for anyone on the internet.”

Courting Controversy

This isn’t the first time MiSafes has made headlines. In February 2018, an Australian cybersecurity company discovered critical flaws in the firm’s Mi-Cam baby monitors.

Similarly, the Norwegian Consumer Council exposed other cases of security risks in child-friendly smartwatches.

Monie concluded that given the price range, companies may be acting negligently in regards to security testing.

He said: “My friend paid £9 for the watch, and I paid around £35 each for an extra two. When margins are that thin, it becomes less likely that manufacturers spend money on security testing. This could compromise the security of a child.”

Like this: Like Loading...