The smartwatch SMA-WATCH-M2, which works as a GPS tracker via SIM card, is designed to protect children and give parents a secure feeling. However, the much-sold children’s watch from a manufacturer in Shenzhen reveals potential attackers the exact position data of more than 5,000 children around the globe. It also allows you to listen in and manipulate confidential conversations and other information, proving that masses of cheap Chinese-made IoT devices are failing to meet minimum IT security or privacy standards.

Children’s watch expose Anna

Unlike usual, this report does not start with technical information about a device tested in the IoT laboratory of the AV-TEST Institute, but with the story of a little girl. It is about Anna, a fourth grader from the city of Dortmund in Germany. She lives with her parents in the posh district Lücklemberg. But currently she is with her grandparents on vacation on the North Sea island of Norderney, because Anna’s parents have to work. Anna lives with her grandparents in a small guesthouse in the district Fischerhafen. And because grandma and grandpa are not so good on foot, Anna likes to do short hikes to the old harbor alone, because with a bit of luck you can watch gray seals from there. Mostly she goes after dinner at 2 o’clock with Grandpa’s binoculars and stays for about an hour on her lookout. Anna is allowed to make these hikes without grandma and grandpa, after all, she is already 10 years old and the island of Norderney is a manageable patch of earth.

In addition to image, name and registered address data, the retrievable data also reveal the IMEI of the modem of the clock as well as real-time coordinates, which can be located and displayed very easily and accurately via Google Maps, for example. Through simple brute-force attacks on the unprotected Web API, the corresponding records of all registered users can be found out.

The positional data of the children's watch, which we intercepted via the Web API, show the exact position of the watch at the time of the test.
The position data of the children’s watch, which we intercepted via the Web API, show the exact position of the watch at the time of the test.

App helps locate foreign children

But that’s not all: A config file in the smartphone app directory can be used to transfer any account with the data available via the Web API. For this it is sufficient to put the determined user IDs in the config file of the app. When the application is started, the app then automatically logs into the ID belonging to the account without requiring authentication. Not even a query of user e-mail and password is provided for such cases by the app or the mechanisms envisaged does not work. But even if, this hurdle could easily be avoided, because even this data is freely available to anyone through the vulnerability of the Web API.

Accordingly, the app belonging to the Chinese children’s watch also provides attackers with the opportunity to conveniently access any account and, like the legitimate user, to use the full functionality of the parent app, including position determination, voice messages, telephony and all other functions. There is no warning message to other users of the app. And like the majority of Chinese IoT products currently flooding the European market, there is no GDPR-compliant privacy policy for the SMA children’s watch, just a Chinese version.

Conclusion: AV-TEST warns about SMA-M2 watch!

In summary, it can be said about the SMA children’s watch: The Chinese children’s watch is anything but a product for the protection of children but on the contrary a real danger! It offers potential attackers the ability to identify the location of more than 5,000 children and access data from over 10,000 parent accounts. Attackers are given access to sensitive personal information, including the name of parents, the name and image of the child, names and numbers of relatives and acquaintances in the phone book that can be used in the event of possible contact with the child. And precisely this danger threatens through the unprotected access to data for real-time position determination and the possibility of direct contact by phone call and voice message. At the same time, legitimate users, such as the parents, can be locked out of the account and thus prevents effective help in an case of emergency.

The heat map created in the test shows the current position of each children's watch of the Chinese manufacturer SMA and could lead potential attackers right up to the door of each child's home.
The heat map created in the test shows the current position of each children’s watch of the Chinese manufacturer SMA and could lead potential attackers right up to the door of each child’s home.
At the time of the last check by AV-TEST , in addition to Anna’s account, 420 accounts with a German telephone number were still identifiable. Our engineers also came across a variety of accounts in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands and, of course, China. However, it is to be feared that the dangerous children’s watch, not least because of the competitive price of just under $ 30, is significantly more widespread. As in Germany, the SMA-M2 children’s watch is also distributed as a private brand by importers in other countries. Accordingly, it can be assumed that the number of endangered users is significantly higher. Accordingly, the AV-TEST Institute has not only warned the German distributor Pearl about the threats posed by the Chinese IoT product, but has also informed the Computer Emergency Response Team (CERT) of the Federal Office for Information Security (BSI).

Update (January 15, 2020)

After the AV-TEST Institute informed Pearl, the German supplier of the children’s watch, about the dangers, the supplier took immediate action, contacted the Chinese manufacturer SMA and initiated the patching of the following security leaks that were directly dangerous for users: a) Transmission of data by the “Easy Tracker” app when accessing the API of the manufacturer’s website in plain text, b) Disabling access to the website API without authentication, c) Possibility of transferring user accounts by manipulating the configuration file of the app.