In recent weeks, Dr. Web published a report which shows that four popular brands of children’s smartwatches contain serious security flaws – weak default passwords, do not encrypt communication and also allow uncontrolled downloading software packages from external sources.
The case was described by Bleeping Computer, which says little has changed in the kids’ smart device industry – security and privacy issues were mapped out a few years ago.
All analyzed by Dr. However, web watches are attracting attention in the market, as more and more parents want to control where their children are and what they are doing.
As stated by the company, most tested devices occasionally collect and transfer sensitive data to external servers without informed consent from the user. People who use these kinds of gadgets may not even realize it, points out Bleeping Computer.
What does Dr. Canvas watch? Elari Kidphone 4G, Wokka Lokka Q50, Elari FixiTime Lite and Smart Baby Watch Q19 participated in the workshop. All of these watches are based on the Android operating system and are mainly popular in Eastern European countries.
Cybersecurity on your child’s wrist
The company’s tests have shown that the Elari Kidphone 4G watch is capable of, among other things, to transfer data such as SIM card information, geolocation data, device information, contacts stored in the phone book and app list on smartphone, SMS count and call history to external servers without users knowledge.
The hidden modules of this device can be depending on the Dr. Internet used to install malware, even run remotely downloaded programs or display malicious advertisements. The Android.DownLoader.3894 module hidden in the watch, according to experts, can even be used for cyber espionage purposes.
The cheapest of the watches tested by the company – the Wokka Lokka Q50 (costing around 75 PLN), is, in the opinion of Bleeping Computer, an almost disposable gadget.
This smartwatch is secured with a weak default password, and all data transmitted between the device and servers located in Russia is accessible to anyone – as it is not encrypted in any way.
Therefore, potential attackers can surprisingly easily intercept, for example, information from the GPS device of the device, and thus find out where a child is staying, studying or living using the watch.
Communication is also not encrypted by the more expensive Elari FixiTime Lite (about 200 PLN) and Smart Baby Watch Q19 (about 100 PLN).
Not only watches
Smartwatches for kids aren’t the only problem in the smart gadget market for younger users.
Smart toys, incl. Dolls and stuffed animals appeared on the market around 2015, and one of the first such products was a Barbie doll equipped with basic artificial intelligence. Some analysts then hailed it as a “privacy nightmare”, pointing out that the toy collects information about children and can be hacked very easily.
Since then, the entire market segment has grown tremendously and data collection by devices has also become normalized. Today, smart toys collect a lot of them, recording events related to, among others, sensors, Bluetooth module, WiFi, as well as activity in mobile applications and in the cloud.
Toys are often equipped with microphones, cameras, allowing for example to use them for contact with close people. The facial recognition built into the dolls allows you to create the illusion of a unique connection with the child, whose face is identified by a favorite toy, reacting to the sight of the owner with a friendly greeting.
Privacy issues of smart toys
In 2017, the German federal office Bundesnetzagentur – issued a warning about Cayla smart dolls equipped with an insufficiently secure Bluetooth communication module allowing the unlimited acquisition of personal data. The authority recommended that parents who bought these dolls for their children destroy them or throw them in the trash.
In the United States, the first privacy breach lawsuit involving smart toys was heard in court in 2018. The breach concerned provisions of the US COPPA (Children’s Online Privacy Protection Act), a regulation which, at the federal level, regulates the processing of personal data of children under the age of 13 in digital services and products. The regulatory violation was adjudicated by the Federal Trade Commission (FTC) – the body in the United States that handles both antitrust matters and cases related to abuse of users’ privacy and personal data.
In 2019, the FTC recognized that the problems posed by smart toys were so numerous that it issued a special communication aimed at American consumers, in which it was attentive to the risks associated with such devices. The committee recommended that parents, among other things, carefully consider whether the toys they choose for their children contain a microphone or camera, allow you to send emails or log into social media accounts, and whether they offer appropriate parental control tools to monitor how your child uses the product.
Privacy and security already in the design stage
We wrote about the importance of designing digital products and services with cybersecurity and privacy in mind right from the planning stage on CyberDefence24.pl in October.
The Internet of Things is a specific segment of devices that function as a communicating vase system and, in practice, cannot function otherwise. Smart toys in this segment carry a much higher risk, as their recipients are children. Moreover, their security and privacy mechanisms should be refined and strong by default.
Unfortunately, this is not so – manufacturers are eager to “forge iron while it is hot”, due to which technically underdeveloped products appear on the market. Quite often, their weaknesses in security or privacy make it possible to resell them at an attractive price to the consumer – they are invisible, so you can save on them by adopting the optics of many companies.
We also want to be closer to you – the readers. Therefore, if there are any issues bothering you; questions to which you do not know the answer; topics that need to be written – please contact us. Write to us at: [email protected] The future brings changes. We present them under the slogan #CyberIsFuture.