30th May 2018
The popularity of smart children’s watches is increasing every day. These watches allow parents to keep track of the current location of their children. Most vendors allow for parents to retrieve this information using a mobile app. Apart from the location, most of the vendors offer parents the possibility to send text messages to the smartwatch and initiate a call. Sometimes it is even possible to start a call without confirmation from the watch itself, which makes it possible for parents to secretly listen to a child’s environment. Therefore, Germany banned the devices.
These watches collect sensitive information, such as locations and store it centrally, so parents know where their kids are when wearing the smartwatch. DearBytes decided to dive into some of the smartwatches to identify whether these devices keep the data safe. We picked some random children’s smartwatch apps and started to investigate them. Early on in the research, we discovered a vulnerability in the hellOO smartwatch cloud environment. The vulnerability allows attackers to keep track of all the location history retrieved from smartwatches that were sold by hellOO. Later in the investigation we determined that other resellers of the same product were affected by our vulnerability as well. The smartwatches are used by users from at least 13 different countries. This is how it works:
Powered by WPeMatico