Flaws in Smartwatches on Amazon May Let Strangers Track Kids




Children using smart watch
Children using smart watch  

(Bloomberg) -- Security researchers discovered vulnerabilities in cheap smartwatches for children that make it possible for strangers to override parental controls and track kids.

Rapid7 Inc., a cybersecurity firm based in Boston, purchased three smartwatches on Amazon.com, costing from $20 to $35, according to Deral Heiland, research lead for IoT technology. He said the models -- GreaSmart Children's SmartWatch, Jsbaby Game Smart Watch and SmarTurtle Smart Watch for Kids -- were picked randomly from dozens for sale on Amazon and marketed as appropriate for grade school-aged kids.

All three devices offer location tracking, messaging and chat features. They were manufactured in China and shared nearly identical hardware and software. They also had similar security issues, Rapid7 found.

The watches let authorized users view and change configuration details by texting the watch directly with certain commands. In practice, this didn't work and "unlisted numbers could also interact with the watch," Rapid7 said in a report.

This security issue could be fixed with a vendor-supplied firmware update, but "such an update is unlikely to materialize given that the providers of these devices are difficult to impossible to locate," the cybersecurity firm added.

The watches have a default password of "123456," but one of the watch's manuals doesn't mention the password, according to the researchers. Another mentioned the password in a blog but not in its printed material. The third doesn't characterize the numbers as a password nor does it provide instructions on how to change it, according to the researchers.

"Given an unchanged default password and a lack of SMS filtering, it is possible for an attacker with knowledge of the smartwatch phone number to assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent)," Rapid7 said in its report.

An unauthorized user could shut off all the safety protocols a parent had set up on the smartwatch, Heiland said.

Rapid7 said its researchers weren't able to contact the sellers nor what they believe is the manufacturer of the watches, a Chinese company called 3g Electronics Co. The company didn't respond to a message from Bloomberg News seeking comment.

The GreaSmart Children's SmartWatch is no longer for sale on Amazon, according to Rapid7. GreaSmart, Jsbaby, SmarTurtle didn't respond to a requests for comment. Oltec, a merchant that sells the SmarTurtle watch on Amazon, didn't respond to a message sent via Amazon's site.

"Consumers that are concerned with the safety, privacy, and security of their IoT devices and the associated cloud services are advised to avoid using any technology that is not provided by a clearly identifiable vendor, for what we hope are obvious reasons," Rapid7 warned in its report.

To contact the reporter on this story: Andrew Martin in New York at amartin146@bloomberg.net

To contact the editors responsible for this story: Tom Giles at tgiles5@bloomberg.net, Alistair Barr, Andrew Pollack

For more articles like this, please visit us at bloomberg.com

©2019 Bloomberg L.P.

COMMENTS

More Related News

U.S. charges former Amazon manager and her family members with insider trading
U.S. charges former Amazon manager and her family members with insider trading

The Securities and Exchange Commission on Monday charged a former finance manager at Amazon.com, Inc. and two of her family members with insider trading in advance of the company's earnings announcements between January 2016 and July 2018. The SEC alleged that Laksha Bohra, who worked as a senior manager in Amazon's tax department, acquired and tipped her husband Viky Bohra with highly confidential information about Amazon's financial performance. The complaint alleges that Viky Bohra and his father, Gotham Bohra, then traded on this confidential information, reaping illicit profits of approximately $1.4 million.

Trump
Trump's Taxes Show He's a National Security Threat
  • World
  • 2020-09-28 09:37:24Z

(Bloomberg Opinion) -- In a tour de force of hard won reporting, the New York Times has put numerical clothing on what we've known about President Donald Trump for decades - that, at best, he's a haphazard businessman, human billboard and serial bankruptcy artist who gorges on debt he may have a hard time repaying.The Times, in a news story published Sunday evening that disclosed years of the president's tax returns, also put a lot of clothing on things we didn't know. Trump paid just $750 in federal income taxes in 2016, the year he was elected president, and the same amount the following year, when he entered the White House. In many years recently he hasn't paid anything at all. He has...

Amazon confirms annual Prime Day sale will be Oct. 13-14 with select deals now available for members
Amazon confirms annual Prime Day sale will be Oct. 13-14 with select deals now available for members

When is Amazon Prime Day 2020? Amazon's annual Black Friday-like sale will be Oct. 13-14 after the retail giant delayed the sale amid the coronavirus.

Mark Your Calendars! Prime Day is on October 13 & 14 to Start a Season of Savings
Mark Your Calendars! Prime Day is on October 13 & 14 to Start a Season of Savings

Prime members get an early start to a season of savings with deep discounts on holiday must-haves across toys, electronics, fashion, beauty, kitchen, home, Amazon Devices, and everything else you need and love To further its commitment to helping small businesses be resilient during COVID-19 and beyond, today Amazon Canada has also opened its small and medium-sized business storefront at amazon.ca/supportsmall, a one-stop shop that profiles over 70 Canadian business owners selling on Amazon.

This is how police request customer data from Amazon
This is how police request customer data from Amazon

Anyone can access portions of a web portal, used by law enforcement to request customer data from Amazon, even though the portal is supposed to require a verified email address and password. Amazon's law enforcement request portal allows police and federal agents to submit formal requests for customer data along with a legal order, like a subpoena, a search warrant, or a court order. The portal is publicly accessible from the internet, but law enforcement must register an account with the site in order to allow Amazon to "authenticate" the requesting officer's credentials before they can make requests.

Leave a Comment

Your email address will not be published. Required fields are marked with *

Cancel reply

Comments

Top News: Economy