Experts from the Norwegian company Mnemonic surethat they discovered a backdoor specially implemented in the Xplora 4 children's smartwatch, created by the Chinese company Qihoo 360 Technology Co. As it turned out, the watch can take photos and record sound, and these functions are activated using an encrypted SMS message.
According to the manufacturer, more than 350,000 of these Android devices have been sold so far, which allow you to make and receive voice calls to parent-approved numbers, as well as send an alarm and meta location data to specified contacts. A separate app that runs on parents' smartphones allows you to monitor the use of the watch and receive alerts if the child leaves a certain geographic area.
Although Xplora Mobile AS distributes the watch in Europe and the United States, the hardware is designed and manufactured by the aforementioned Chinese company Qihoo 360, and it is also responsible for creating 19 out of 90 pre-installed Android apps for these devices.
"The backdoor itself is not a vulnerability," the researchers write. – This is a set of deliberately designed functions with corresponding names that allow you to remotely take a snapshot, report a location and organize a wiretap. The backdoor is activated by sending SMS commands to the watch, ”says Mnemonic.
Researchers believe that smartwatches can be used to covertly take photos using the built-in camera, to track the location of the wearer, and to listen to phone calls through the built-in microphone. The talking function names mentioned are WIRETAP_INCOMING, WIRETAP_BY_CALL_BACK, COMMAND_LOG_UPLOAD, REMOTE_SNAPSHOT, and SEND_SMS_LOCATION.
Experts do not claim that such an observation actually took place. The fact is that for a successful attack, you need to know not only the phone number of the device (there is a SIM card in the watch), but also the unique encryption key. At the same time, it is emphasized that this data is available to the developers of Qihoo 360 and Xplora, and it can also be physically extracted from devices using special tools.
Researchers fear, in particular, related to the fact that earlier Qihoo 360 was included in U.S. Department of Commerce Sanctions List… The US authorities believe that the Chinese government may have forced the company to engage in "activities contrary to the interests of national security or US foreign policy." That is, theoretically, the Chinese authorities may demand to activate the backdoors hidden in the clock.
Journalists The register cite a comment from Xplora representatives who claim that the problem was related to the remnants of the prototype forgotten in the code. Allegedly, during the development of the device, parents said that they would like to be able to contact their children in an emergency, as well as to be able to receive location data in the event of abduction. Later, they decided not to implement this functionality in the commercial version of the devices for privacy reasons.
Xplora also stressed that the problem has already been fixed: at the end of last week, a corresponding patch was released for the watch.
“It's important to note that the potential vulnerability requires physical access to the X4 watch and (knowledge of) the phone number,” says an Xplora spokesperson. – Even if this functionality is activated, the only place where the data will be located is the Xplora servers in Germany, located in a highly secure Amazon Web Services environment that is not accessible to third parties. Only two Xplora employees have access to the secure database where customer information is stored, and access to that database is carefully tracked and recorded. "