(Bloomberg) -- Security researchers discovered vulnerabilities in cheap smartwatches for children that make it possible for strangers to override parental controls and track kids.
Rapid7 Inc., a cybersecurity firm based in Boston, purchased three smartwatches on Amazon.com, costing from $20 to $35, according to Deral Heiland, research lead for IoT technology. He said the models -- GreaSmart Children's SmartWatch, Jsbaby Game Smart Watch and SmarTurtle Smart Watch for Kids -- were picked randomly from dozens for sale on Amazon and marketed as appropriate for grade school-aged kids.
All three devices offer location tracking, messaging and chat features. They were manufactured in China and shared nearly identical hardware and software. They also had similar security issues, Rapid7 found.
The watches let authorized users view and change configuration details by texting the watch directly with certain commands. In practice, this didn't work and "unlisted numbers could also interact with the watch," Rapid7 said in a report.
This security issue could be fixed with a vendor-supplied firmware update, but "such an update is unlikely to materialize given that the providers of these devices are difficult to impossible to locate," the cybersecurity firm added.
The watches have a default password of "123456," but one of the watch's manuals doesn't mention the password, according to the researchers. Another mentioned the password in a blog but not in its printed material. The third doesn't characterize the numbers as a password nor does it provide instructions on how to change it, according to the researchers.
"Given an unchanged default password and a lack of SMS filtering, it is possible for an attacker with knowledge of the smartwatch phone number to assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent)," Rapid7 said in its report.
An unauthorized user could shut off all the safety protocols a parent had set up on the smartwatch, Heiland said.
Rapid7 said its researchers weren't able to contact the sellers nor what they believe is the manufacturer of the watches, a Chinese company called 3g Electronics Co. The company didn't respond to a message from Bloomberg News seeking comment.
The GreaSmart Children's SmartWatch is no longer for sale on Amazon, according to Rapid7. GreaSmart, Jsbaby, SmarTurtle didn't respond to a requests for comment. Oltec, a merchant that sells the SmarTurtle watch on Amazon, didn't respond to a message sent via Amazon's site.
"Consumers that are concerned with the safety, privacy, and security of their IoT devices and the associated cloud services are advised to avoid using any technology that is not provided by a clearly identifiable vendor, for what we hope are obvious reasons," Rapid7 warned in its report.
To contact the reporter on this story: Andrew Martin in New York at email@example.com
To contact the editors responsible for this story: Tom Giles at firstname.lastname@example.org, Alistair Barr, Andrew Pollack
For more articles like this, please visit us at bloomberg.com
©2019 Bloomberg L.P.