More and more parents now choose to buy smartwatches for children. Most of these smartwatches can be used to make calls and track the location of children in real-time. However, the whereabouts of children should only be known to parents who should not be tracked by others, otherwise, criminals taking advantage of the opportunity to track the location of children may cause personal injury. Therefore, the most important thing when choosing a children’s smartwatch is not the appearance and function but safety.
The latest report released by the security company AVAST shows that there are serious safety problems in the various children’s smartwatches produced by the Shenzhen i365 Tech manufacturer. The study found that the company’s various children’s smartwatches use the 123456 weak passwords, and each child smartwatch has an ID number. Security researchers continue to analyze the discovery that these children’s smartwatches transmit data to the server in real-time via clear text transmission, which is then forwarded by the server to the client. The website that provides the mobile app client download is also transmitted in plain text, which means that the attacker can conduct man-in-the-middle hijacking attacks from multiple channels.
Because of the clear text transmission, an attacker can easily perform a man-in-the-middle attack, which can then be used to obtain real-time global positioning information for a smartwatch. The firmware of these children’s smartwatches has design flaws, and the attacker can forge information to turn on the microphone to monitor the child or monitor the environment in which it is located. For example, when a child is at home or when the smartwatch is charged at home, the attacker can turn on the microphone to upload all the sounds in the home environment to the server. Parents who purchase the above mentioned manufacturer’s children’s smartwatches now have no reason to continue to wear such smartwatches that can leak information.
Before AVAST released this safety research report, it has contacted Shenzhen i365 Tech several times through multiple channels but did not receive any response. After a long period of non-response, the disclosure period set by the security company has been exceeded, so AVAST now decides to open the vulnerability to remind the user to stop wearing the watch. In addition, in the app store of Google and Apple, these smartwatch companion app “AIBEILE” also received a variety of bad reviews from countless parents and friends.