Critical security flaws remain in smartwatches for kids

Publisert 7. desember, 2017
The Norwegian Consumer Council exposed serious security flaws in children’s smartwatches. Months later, after the companies attempted to fix the problems, the flaws are still as bad, and in one case even worse.

Earlier this year, the security company Mnemonic uncovered serious security flaws and unreliable safety functions in smartwatches for kids sold by Gator Norge and GPSforBarn. Strangers could easily take control of the watches and use them to track and listen in on the children wearing the devices.

Soon thereafter, the companies reported that all the flaws had been fixed. Based on the severity of the issues, and due to Mnemonic noting that the flaws would be very difficult to repair, the Consumer Council (NCC) commissioned a new technical test. The results show that not only were the problems still present, additional issues had appeared.

– This shows that these companies’ promises cannot be trusted. These watches do not belong on store shelves, and even less beneath the Christmas tree, says Finn Myrstad, Director of Digital Policy at the Norwegian Consumer Council.

Viksfjord og Garor3.foto

Photo: The Norwegian Consumer Council

Adding to the severity of the issues, Gator Norge gave the customers of the Gator2 watches a new Gator3 watch as compensation. The Gator3 watch turned out to have even more serious security flaws, storing parents and kids’ voice messages on an openly available webserver. The new watches also came with a significantly more expensive phone subscription.

In October, GPSforBarn launched the new app (GPSforalle) that works together with the watches. It contains similar security flaws as described with their previous app, the SeTracker.

Lack of control

– It is disconcerting that manufacturers, importers and retailers do not have better control over the products that they are selling. This is especially worrying when regarding safety-related products directed toward children, that could instead put the child in harm’s way, Finn Myrstad says.

– Until we see a reliable third party review of the security issues being fixed, we expect anyone selling the watches to pull them from the market, and to notify their customers about the flaws that have been found.

The NCC sent a formal complaint about the watches to the Norwegian Data Protection Authority in September. The Norwegian Data Protection Authority (DPA) have signaled that they are looking at Gator Norge and GPSforBarn.

On Friday November 24, Gator Norge sent an e-mail to their customers explaining the new security issues, and promised to release a new app and security patch for the watches. GPSforBarn have also made claims that the issues with their devices have been fixed, in many channels including through e-mail correspondence with the NCC.

What about watches in other countries?

Mnemonic writes in their Technical Report about the SeTracker apps

“Other watches in the Viksfjord ecosystem, both other watch models using GPSFORALLE app, and watch models building on similar hardware models and using the SeTracker application (such as Wonlex), have not been re-tested in this iteration. However, based on our analysis in both reports, there are strong indications that these watches are are also vulnerable, and that fixing the systematic security and privacy problems across the product range is likely to be difficult.”

The Gator brand works under a different brand and legal entity in the UK, called Techsixtyfour, which according to their own website uses the Gator 3 app as well. We cannot however, guarantee that our findings also applies to this app. In the US market, the watch works under the brand ”Caref”, but has a different app.

Summary re-test rapport Mnemonic