For several years, AV-TEST researchers have been studying the safety of smart watches for children. Experts this time checked budget gadget SMA-WATCH-M2, created by the Chinese company SMA and came to the conclusion that the protection of watches leaves much to be desired. A $ 35 watch reveals personal information and the whereabouts of more than 5,000 children and their parents.
Researchers say that SMA-WATCH-M2 are designed to work in tandem with the corresponding application. So, parents register an account, connect the child’s smart watch to their phone and use the application to track their location, make voice calls or receive notifications when the child leaves a certain area. There are many similar gadgets on the market, whose cost varies from $ 30 to $ 300, but experts write that SMA has created one of the most unsafe products in this area.
So, it turned out that anyone can request a backend for smart watches through the public API. This is the same backend to which the mobile application connects to extract the data that is displayed on the parents' phones. Although it would seem that for these operations there is an authentication token that supposedly should prevent unauthorized access, in fact, attackers can provide any token, since the server simply does not verify its validity.
As a result, an attacker can connect to the API, examine user identifiers and collect data about children and their parents. So, you can find out the child’s current geographic location, device type, and IMEI SIM card. In this way, AV-TEST analysts were able to identify more than 5,000 owners of smart watches and more than 10,000 parent accounts. Most of the children were in Europe, in countries such as the Netherlands, Poland, Turkey, Germany, Spain and Belgium, but also active smart watches were found in China, Hong Kong and Mexico.
The mobile application installed on the phones of the parents was also extremely unsafe. The fact is that the attacker can install the application on his own device, change the user ID in the configuration file and associate his smartphone with the smartwatch of someone else’s child, without even entering an email address or password from the parent account. Then the application functions can be used to track a child using a card, make calls and start voice chats with children.
Even worse, an attacker can change the password for an account and block the application of real parents, while he himself communicates with the child.
Researchers write that they contacted SMA representatives and informed the company about the problems. At the same time, it is unclear how the SMA reacted, but in the report of specialists it was mentioned that the watch is still being sold through the website of the company and other distributors. However, some distributors have already stopped selling the SMA-WATCH-M2 after the publication of an expert report.