“Our advice is to stop using this watch” as mitigations are not available, researchers told Threatpost.

Wristwatches with tracking capabilities have gained popularity over the years as an easy way for parents to keep tabs on their children. But a newly-discovered hole in a popular Misafes watch opens up these tracking capabilities to bad actors, which could ultimately threaten the physical safety of the children wearing the watches.

The Misafes ‘Kids Watcher‘ costs less than 10 Euro, and offers functions for parents like two-way calling via a SIM and cellular connection, as well as an accompanying app for parents to track their child’s location.

Researchers at Pen Test Partners found vulnerabilities in the gadget that translate into a stalker or pedophile’s ideal toolset: They could allow remote hackers to retrieve real-time GPS coordinates of the kids’ watches. Attackers could also call kids on their watches, eavesdrop on their conversations and intercept personal information about them, such as name, age and gender.

Alan Monie, researcher with Pen Test Partners, outlined in a Thursday post how he was able to launch various Insecure Direct Object Reference (IDOR) attacks on the watches.

An IDOR attack occurs when an internal implementation object (such as a file or database) is exposed to users without any other access controls. An attacker could manipulate those references to get access to unauthorized data – and from there carry out various malicious actions.

After proxying the iOS MiSafes app (using Burp), Monie found that the traffic was not encrypted – meaning that personal information, such as profile pictures, names, gender, date of birth, height and weight of children using the trackers were all being transmitted across the internet in cleartext.

Making matters worse, the only check that the API appears to perform is matching the user ID with the session_token parameter on the tracker. So an attacker could simply change the family_id in the get_watch_data_latest parameter of the API to find out the watch’s location and device_id associated with that family.

“The family_id was sequentially generated, so we swapped that with another family_id that we also owned and we were able to get the location data for the other watch,” Monie told Threatpost. “This also returned a device_id which we could then use to get the child’s phone number.”

From there, Monie was able to view near-real-time location data for the watch (since it updates the GPS coordinates to the API every five minutes) and previous locations the watch had been to.

Using data from the API, researchers were also able to spoof a call to the watch (as they could retrieve information to get both the child’s and parent’s phone numbers) and activate a “Monitor Mode” that lets them to listen to the child.

Monie said that Misafes did not respond to multiple attempts at contact. The company also did not respond to a request for comment from Threatpost. However, said Monie, the product has been pulled from eBay and is no longer available on Amazon.

Regardless, Monie told Threatpost that the security glitch would be difficult to fix, and recommends that consumers stop using the watch.

“The API could be fixed by MiSafes, but the device uses an internal whitelist to decide whether to allow the child to answer the call,” he said. “This is difficult to fix. MiSafes would need to update the firmware in all the watches. Our advice is to stop using this watch.”

While many IoT devices are not secure, there seems to be something extra insidious about devices used by children. Last year, CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach. And other privacy glitches were discovered in other connected toys, like Genesis Toys’ My Friend Cayla doll (which has been banned in Germany) and Mattel’s Hello Barbie doll.

“Until consumers or industry bodies start asking for certain security standards to be met, or suppliers publish their security testing reports, I think the race to market will take priority over security, sadly,” Monie told Threatpost. “With so many cheap IoT devices out there, security researchers won’t be able to test them all. Hopefully other countries will follow Germany’s example where they banned the Cayla doll, and if bans happen for weak security, then maybe that will put pressure on manufacturers.”