child smart watch

Millions of Children-Tracking Smartwatches Are At Risk Of Being Hacked

New findings by security firm Pen Test Partners reveal that 47 million devices worldwide could be exposed and tracked thanks to a strikingly insecure cloud platform.

Throughout 2019, security researchers have discovered striking flaws about child-tracking smartwatches that could be manipulated by hackers. But new findings reported by TechCrunch show that the smartwatches had a larger problem on their hands: a very insecure common cloud platform lacking basic cybersecurity protections.

Researchers found that the cloud platform, made by Chinese electronics company and location-tracking giant Thinkrace, puts at least 47 million devices at risk of being hacked. Because each device interacts with the cloud platform either directly or through a web domain set up by a reseller, cybersecurity firm Pen Test Partners was able to all commands for the devices back to the faulty cloud platform.

“It’s only the tip of the iceberg,” Ken Munro, the founder of the company, told TechCrunch.

The firm’s findings show that most of the commands that control the devices do not require authorization, allowing hackers to gain access to a device and track its location. There is also no randomization of account numbers, allowing the researchers to access devices in bulk by increasing each account number by one.

Disturbingly, researchers were also able to access voice messages recorded and stored in the insecure cloud that were meant to be exchanged between parents and children. The device, sold by a reseller of Thinkrace’s smartwatches, is used by some five million children and parents, according to TechCrunch.

Researchers compared their findings to CloudPets, a WiFi-enabled teddy bear that left its cloud unprotected and exposed the voice recordings of two million kids.

In 2015 and 2017, Pen Test Partners disclosed the vulnerabilities to electronic makers, including Thinkrace. Some resellers fixed their vulnerable “endpoints,” TechCrunch reported, but many companies ignored the warnings, which pushed the firm to go public with its discoveries.

While consumers may not think they own a Thinkrace smartwatch, many of its devices are sold to popular companies for resale. Some of those companies include Lenovo, Vodafone, Allianz and Huawei.

That’s why Munro recommends that consumers stay away from using the devices. Users can also contact the company selling the watch to ask if their watches are manufactured by Thinkrace, and if the business depends on Thinkrace’s cloud platform.

About the Author

Haley Samsel is an Associate Content Editor for the Infrastructure Solutions Group at 1105 Media.

Featured

Featured Cybersecurity

Webinars

New Products

  • HD2055 Modular Barricade

    Delta Scientific’s electric HD2055 modular shallow foundation barricade is tested to ASTM M50/P1 with negative penetration from the vehicle upon impact. With a shallow foundation of only 24 inches, the HD2055 can be installed without worrying about buried power lines and other below grade obstructions. The modular make-up of the barrier also allows you to cover wider roadways by adding additional modules to the system. The HD2055 boasts an Emergency Fast Operation of 1.5 seconds giving the guard ample time to deploy under a high threat situation. 3

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3