If You Are Thinking About Buying Your Kid a Smartwatch from Amazon, You Need to Think Again
As a part of a penetration testing exercise, researchers from Rapid7 recently ordered three smartwatches from Amazon – the Children's SmartWatch, the G36 Children's Smartwatch, and the SmarTurtles Kid's Smartwatch. As their names suggest, they are all children's smartwatches, and they are designed to help parents keep track of their kids and contact them whenever the need arises. After poking around the devices for a bit, the experts concluded that they have a few serious vulnerabilities that, as we'll find out in a minute, are unlikely to be fixed any time soon. We'll now take a look at Rapid7's findings, and we'll try to show concerned parents what they might want to look out for when buying these gadgets for their kids.
A poorly implemented, SMS-based configuration system makes the three watches easy prey for cybercriminals
When you set up a smartwatch for the first time, you put a valid SIM card in it, and, in the case of the three devices tested by Rapid7, you communicate with it using SMSs. Once you log in (more on that in a minute), you send commands as text messages to configure some of the device's settings, pair it with the mobile app on your phone, and create a whitelist of phone numbers that can communicate with the watch. The last step is especially important because it helps you make sure that only you can control with your kid's smartwatch. That's what's supposed to happen, anyway. There are two fundamental problems, though.
For one, the mere use of text messages is not a very good idea. We have talked in the past about how old the communication protocol behind SMS is, and as Rapid7's researchers point out in their report, spoofing the sender's phone number is not difficult at all.
In other words, even if everything else works as it should, the security of the watches Rapid7 tested isn't great. Unfortunately, not everything else works as it should.
The researchers found out that the whitelist you create during the initial setup isn't functional at all. Using a number that is not on the whitelist, an attacker can send the watch text messages, reconfigure it, and set it up to work with an app on their device, meaning that they can track the child's whereabouts and send messages. Before you can do all this, you need to log into the watch, which means sending a password as an SMS, but there is a problem with this too.
The watches come with a weak default password and woeful documentation
Like most devices of this type, the watches come with a default password. With all three models, the password in question was "123456", which is not an ideal scenario. As if that wasn't enough, while guessing the password might not be that difficult, figuring out how to change it is a completely different story.
If you're expecting clear information on the authentication mechanisms in the user manuals, you're out of luck. One of the manuals doesn't mention the password at all. Another device does mention the default password, but it does it in a translated blog post dedicated to the smartwatch, not in the actual manual. The vendor of the third watch doesn't characterize the string as a password at all and gives no information on what can be done to change it.
Can the security problems be fixed?
Plugging the security holes Rapid7 found shouldn't really be that difficult. Swapping SMS for a more robust communication method would require a major redesign of the entire backend, which would be difficult and expensive, but a working whitelist and a more obvious password reset mechanism can be implemented with a relatively simple firmware update. Putting together a more detailed user manual and distributing it to new and existing users doesn't require much in the way of effort, either. Unfortunately, in all likelihood, nothing will be done to mitigate the risk.
Before publicly disclosing their findings, Rapid7's researchers wanted to get in touch with the vendors and help them fix the issues. Unfortunately, the maker of the Children's SmartWatch and the G36 Children's Smartwatch doesn't have any online presence outside the Amazon marketplace, and although the third vendor, SmarTurtles, has a website, it has decided not to share any contact information with the rest of the world.
This not only means that disclosing security vulnerabilities is impossible. It also means that the tracking device on your child's wrist might be developed and sold by a company that doesn't want you to contact it under any circumstances.
Obviously, if you've bought your children a smartwatch that is affected by the vulnerabilities listed above, you should think carefully about whether you really need it that badly. At the very least, do some research and make sure you change the default password because, in its out-of-the-box state, the authentication mechanism is as good as non-existent.
Research will also pay off if you haven't yet bought a smartwatch for your child but are thinking of getting one. Go online and figure out how the watch works and how you communicate with it before you place the order. Check out the user manual and make sure that if the initial setup is reliant on a default password, there is a well-documented way of changing it once everything is up and running. Read the reviews and see what sort of problems other people have had to deal with. Last but not least, try to learn more about the company offering the device. If that's not possible, you're better off just walking away.