On November 26th, the IoT testing department of the testing agency AV-TEST released a report that they found a smart child watch manufactured by a Chinese company has serious security risks, including more than 5000 children and their parents’ personal details and position information is leaked.
Researchers said that the SMA-WATCH-M2 was manufactured by Chinese company SMA and has been around for many years. The watch needs to be used with the accompanying mobile application. Usually, parents will register an account on the SMA service, pair the child’s smartwatch with the phone, and then use the application to track the child’s location, make a voice call, or get notified when your child leaves a designated area. This concept is not new, and the market is currently flooded with a large number of similar products, with prices ranging from $ 30 to $ 200. Maik Morgenstern, the CEO and technical director of AV-TEST, said that SMA is one of the most unsafe products on the market in the digital product ratings surveyed.
This watch allows anyone to query the backend of a smartwatch through a publicly accessible Web API, while the mobile app is still connected for the backend to retrieve the data it displays on the parent’s phone. Under normal circumstances, this link should have an authentication token to prevent unauthorized access. Once the Web API is exposed, an attacker can connect to the Web API to cycle through all user IDs and collect data for all children and their parents. Morgenstern said that using this technology, his team was able to identify more than 5,000 M2 smartwatch wearers and more than 10,000 parent accounts.