Smartwatch for Your Kids? Beware!
Smartwatch for Your Kids? Beware!
This article was written for Peak Prosperity by Terence Kam, founder and cybersecurity consultant at iSecurityGuru.com. You can follow his company on LinkedIn. Or subscribe to his writings on Medium, where he writes on a wider variety of topics.
I remember when I was a kid, I wished for a Dick Tracy type of communication device that looked like a wristwatch. Whenever the comic hero wanted to talk to someone, he could lift his arm and talk through his watch.
Today, such a technology exists. Smartwatches now function as smartphones. They can make video calls, send and receive text messages, take pictures and so on. Parents can communicate with and even track their kids’ physical locations. Best of all, smartwatches are cheap. You can get them for under $100, and they look colorful and cool. Since Christmas is coming, why not stuff some stockings with the device?
Well, if you are a parent, think again.
Dr. Web Antivirus just released research on smartwatches for kids. The website pulled apart and analyzed several popular models. I wouldn’t repeat their article here, but based on the research, here are some general principles to keep in mind.
All smart devices “phone home”
Every computer, smartphone, tablet, smartwatches and other “smart” devices that connect to the Internet will “phone home”. Your Windows and Mac computers, iPhones, Android phones all talk to Apple, Microsoft and Google to provide the “smart” functionality. It is to be expected. There is no question about that.
But what differentiates between a trusted smart device and a malicious smart device is whether you trust the software code running inside it, as well as the server it “phones home” to.
Can smart devices update their own software securely?
As I wrote in Top 10 Things You Must Do to Avoid Getting Hacked:
The IT industry has not figured out how to write secure code. Every time hardware and software vendors released new products, more lines of computer code are released as well. More lines of code mean more cybersecurity holes. That means there are always holes to be patched. Worse still, there are always massive backlogs of holes to be found and patched. For example, even today, Microsoft is still finding holes in code written a dozen years ago in their latest Windows operating system! Therefore, vendors are always on the never-ending treadmill of releasing patches for security holes in their code. You will need to be always up to date with the patches to be secure.
All responsible device manufacturers must provide a means to update the software running inside their devices. The question is whether the update mechanism is secure or not. If the update mechanism is not secure, then incidents like this can happen:
Passwordstate, the enterprise password manager offered by Australian software developer Click Studios, was hacked earlier this week, exposing the passwords of an undisclosed number of its clients for approximately 28 hours. The hack was carried out through an upgrade feature for the password manager and potentially harvested the passwords of those who carried out upgrades.
On Friday, Click Studios issued an incident management advisory about the hack. It explained that the initial vulnerability was related to its upgrade director—which points the in-place update to the appropriate version of the software on the company’s content distribution network—on its website. When customers performed in-place upgrades on Tuesday and Wednesday, they potentially downloaded a malicious file, titled “moserware.secretsplitter.dll,” from a download network not controlled by Click Studios.
What Dr. Web Antivirus discovered is that some of these smartwatches employ dodgy code to perform software updates. Dr. Web calls these codes “malicious” probably because they are used by malicious software to update themselves. Dr. Web also found out that the codes transmit a lot information to unknown servers, including:
- Your child’s geolocation
- Mobile phone number of the smartwatch
Will you be comfortable with these two pieces of information about your child being sent to unknown servers?
Do these smart devices know anything about cybersecurity?
Some of these smart devices practice extremely poor cybersecurity:
- For example, it sends your child’s geolocation data to its server unencrypted. For parents to know the location of their child, the smartwatch transmits the child’s geolocation to a server. Although you can trust the server it transmits the information too, if it is transmitted unencrypted, will you be comfortable with that?
- Another example: some of these smartwatches utilize default passwords. Default passwords are VERY bad for cybersecurity. Firstly, they are publicly known information. Next, we cannot expect every parent to be tech savvy enough to change the default passwords. Default passwords are such a bad idea the UK recently made it illegal. That is, if manufacturers of internet-connected devices utilize default passwords, they run the risk of legal penalties.
- Some of these smartwatches can be controlled merely by sending text messages to it. If hackers know the phone number of the smartwatch and the password, they can control it. Since there is a high chance that parents have not yet changed the default password (which is a publicly known information), their kids’ smartwatches are open to the control of hackers.
- Even if the hacker does not know the password, there is a loophole. The hacker can query the parent’s mobile phone number and use this information as an exploit to change the smartwatch password. Dr. Web Antivirus did not provide details of how it can be done. But I bet it involves the spoofing of the parent’s mobile number. As I wrote in this article, it can be done easily.
Kids’ smartwatches are cheap. But you get what you pay for. Manufacturers of cheap smartwatches use their expertise to produce great devices at low cost. But, they don’t possess the cybersecurity expertise and financial resources to make a safe, secure and private device. Thus, they are vulnerable to poor cybersecurity practices and cyberattacks.
If you want to buy a smartwatch device for your kids, it is better to stick to manufacturers with a cybersecurity track record. The safest bet is to buy from well-known brands like Apple and Google. For Google, if you are uncomfortable with their business model of collecting information/data about you, then Apple is your best choice. You can also consider other big brands like Samsung and Garmin. Basically, stay away from those cheap unknown manufacturers.
– Peak Prosperity –