Security company Rapid7 has disclosed security vulnerabilities in three children’s smartwatches sold on Amazon. These three children’s smartwatches are the GreaSmart, the Jsbaby, and the Smarturtle for less than$ 40. They are used as tracking devices to track children and allow parents to send messages or make phone calls to children. Researchers warn that potential hackers can use these security holes to take over the device and track children or even talk to them.
But Rapid7’s security researchers found that it’s not just parents who keep in touch with children who wear watches because their built-in filters originally only allowed phone numbers on the whitelist to contact the watch, but Rapid7 found that this filter simply didn’t work effectively.
These watches also accept configuration commands via SMS, which means that potential hackers can change settings on the watch, putting the child at risk. The researchers said that all three watches use the same software, so the vulnerabilities of the three watches will spread across the users.
Rapid7 researchers also found that the default passwords for these three smartwatches are exactly the same, and they are all 123456. Rapid7 says people are unlikely to change this password, and the device won’t even tell users that the password exists or how to change it. Researchers warn that with this simple password and the ability to change configurations via SMS, potential hackers can take over the device and track children, and even pair smartwatches with their own phones.
Rapid7 researchers have no way to get in touch with the manufacturer and are concerned that these loopholes will not be resolved. Amazon is currently not responding to whether to remove the three children’s smartwatches from the store.