Stores are selling cheap $50 smartwatches for kids. They are ideal for parents to keep track of their kids and communicate with them. Should you get one?
I remember when I was a kid, I wished there exist a Dick Tracy type of communication device that looked like a wristwatch. Whenever Dick Tracy wants to talk to someone, he will lift his arm and talk through his wristwatch. Today, such a technology exist. We have smartwatches that function as a smartphone. It can make video calls, send and receive text messages, take pictures and so on. For parents, they can communicate with their kids and even track their physical locations. Best of all, smartwatches are cheap. You can get them for under $100 and they look colourful and cool. Since Christmas is coming, why not get them for your kids?
Well, if you are a parent, think again.
Dr. Web Antivirus has just released a research on smartwatches for kids. They have pulled apart and analysed several popular models. I wouldn’t repeat their research article here. But based on Dr Web Antivirus’s research, here are some general principles to keep in mind.
All smart devices ‘phone home’
Every computer, smartphone, tablet, smartwatches and other ‘smart’ devices that can connect to the Internet will ‘phone home’. Your Windows and Mac computers, iPhones, Android phone all ‘phone home’ to Apple, Microsoft and Google. They have to do that in order to provide the ‘smart’ functionality. It is to be expected. There is no question about that.
But what differentiates between a trusted smart device and a malicious smart device is whether you trust the software code running inside it, as well as the server it ‘phones home’ to.
Can smart devices update their own software securely?
As I wrote in Top 10 Things You Must Do to Avoid Getting Hacked,
The IT industry has not figured out how to write secure code.
Every time hardware and software vendors released new products, more lines of computer code are released as well. More lines of code mean more cybersecurity holes. That means there are always holes to be patched.
Worse still, there are always massive backlogs of holes to be found and patched. For example, even today, Microsoft is still finding holes in code written a dozen years ago in their latest Windows operating system!
Therefore, vendors are always on the never-ending treadmill of releasing patches for security holes in their code. You will need to be always up to date with the patches to be secure.
All responsible device manufacturer must provide a means to update the software running inside their devices. The question is whether the update mechanism is secure or not. If the update mechanism is not secure, then incidents like this can happen:
Passwordstate, the enterprise password manager offered by Australian software developer Click Studios, was hacked earlier this week, exposing the passwords of an undisclosed number of its clients for approximately 28 hours. The hack was carried out through an upgrade feature for the password manager and potentially harvested the passwords of those who carried out upgrades.
On Friday, Click Studios issued an incident management advisory about the hack. It explained that the initial vulnerability was related to its upgrade director—which points the in-place update to the appropriate version of the software on the company’s content distribution network—on its website. When customers performed in-place upgrades on Tuesday and Wednesday, they potentially downloaded a malicious file, titled “moserware.secretsplitter.dll,” from a download network not controlled by Click Studios.
What Dr Web Antivirus discovered is that some of these smartwatches employ dodgy code to perform software updates. Dr Web calls these code ‘malicious’ probably because they are also used by malicious software to update themselves. Dr. Web also found out that the code transmit a lot information to unknown servers, including:
- Your child’s geolocation
- Mobile phone number of the smartwatch
Will you be comfortable with these 2 pieces of information about your child being sent to unknown servers?
Do these smart devices know anything about cybersecurity?
Some of these smart devices have extremely poor cybersecurity practices:
- For example, they send your child’s geolocation data to their server unencrypted. For parents to know the location of their child, the smartwatch has to transmit the child’s geolocation to a server. Although you can trust the server that it transmits the information to, if it is transmitted unencrypted, will you be comfortable with that?
- Another example: some of these smartwatches utilises default passwords. Default passwords are VERY bad for cybersecurity. Firstly, they are publicly known information. Next, we cannot expect every parent to be tech savvy enough to change the default passwords. Default password is such a bad idea that UK recently made it illegal. That is, if manufacturers of Internet-connected devices utilises default password, they run the risk of legal penalties.
- Some of these smartwatches can be controlled merely by sending text messages to it. If hackers know the phone number of the smartwatch and the password, they can control it. Since there is a high chance that parents have not yet change the default password (which is a publicly known information), they can leave their kids’ smartwatches open to the control of hackers.
- Even if the hacker does not know the password, there is a loophole they can exploit. Even without the password, the hacker can query the parent’s mobile phone number. With this information, there is an exploit where the hacker change the password of the smartwatch. Dr Web Antivirus did not provide details of how it can be done. But I bet it involves the spoofing of the parent’s mobile number. As I wrote in this article, it can be done easily.
Kids’ smartwatches are cheap. But you get what you pay for. Manufacturers of cheap smartwatches have the expertise to produce great devices at low cost. But they don’t have the cybersecurity expertise and financial resources to make a safe, secure and private device. Thus, they are vulnerable to poor cybersecurity practices and supply-chain attacks.
If you want to buy a smartwatch device for your kids, it is better to stick to manufacturers who have a track record in cybersecurity. The safest bet is to buy from well-known brands that have a track record like Apple and Google. For Google, if you are uncomfortable with their business model of collecting information/data about you, then Apple is your best choice. You can also consider big brands like Samsung and Garmin. Basically, stay away from those cheap unknown manufacturers.