If You Have Bought Your Kid an Enox Safe-KID-One Smartwatch, Go Get Your Money Back

A couple of years ago, Enox, a German consumer electronics brand, started selling Safe-KID-One – a smartwatch for children that comes with all the features you'd expect from such a device. You can put a SIM card in it and call your kids to make sure that everything's alright, and because it also has a GPS transmitter, you can keep an eye on their location via a mobile app. On its website, Enox touts 'high-quality standards', but at least as far as the Safe-KID-One watch is concerned, the European Commission (EC) isn't quite so sure.

The European Commission, for those of you who don't know, is one of the most important institutions in the European Union. It's responsible for, among other things, making sure that the products sold in the EU meet certain requirements. It regularly forces recalls of items that might not be in line with the strict regulations, and recently, it said that anyone who has bought the Enox Safe-KID-One watch should go back to the retailer and get their money back.

The first EU recall because of privacy concerns

Apparently, the commission isn't happy with Safe-KID-One's security. More specifically, it's not happy with the security of Kids Care – the mobile application accompanying the watch. Apparently, Iceland's consumer protection authorities were the first to question the quality of the app, and the EC took their concerns seriously. Enox told the BBC that they plan on appealing both in front of Iceland's regulators, and in front of the EC, but regardless of whether or not the decision remains, this is the first European Commission action that was prompted by poor data protection mechanisms.

A childish error could have put many kids at risk

Indeed, Kids Care's creators made one of the most inexcusable blunders a developer can make nowadays – they failed to protect the data in transit. Iceland's regulators poked around the app and found out that the connection between it and its backend server is not encrypted in any way. In other words, the location of the watch is transferred from the device to the parent's mobile phone in plain form. This means that anyone can intercept the information and alter it. You can probably imagine what sort of risks this brings, but unfortunately, this is not the only problem.

The parent must use the Kids Care application to set the watch up and assign a list of phone numbers that can communicate with it. Because all that data is flowing without any form of protection, however, an attacker can change it mid-flight and gain full control of the watch.

And all this because someone forgot to use a free SSL certificate to protect the communication. Is this really that much of a shock, though?

The Kids Care app doesn’t look very good

As Bernieri Christian, an Italian data protection specialist pointed out, the privacy policy link on Kids Care's Google Play page doesn't actually lead you to Kids Care's privacy policy. Instead, it links to a LinkedIn account.

If you go through the reviews, you'll see that plenty of people have had problems getting the app to work, and the developers don't seem to be particularly responsive to all the pleas for assistance. As if that wasn't enough, the permissions Kids Care requests upon installation could raise more than a few eyebrows. In addition to access to GPS data, and the ability to call numbers, the app wants to be able to draw over other applications and modify system settings.

Vendors continue to overlook security

We all know that more and more of the so-called "things" tend to be connected to the internet, and the gadgets our children play with are no exception. In fact, vendors are in a hurry to get everything online, and they fail to account for the problems associated with this.

That's why, it's important to think twice before buying the next novelty item, especially if the privacy of your child is concerned.