The smartwatch SMA-WATCH-M2, which works as a GPS tracker via SIM card, is designed to protect children and give parents a secure feeling. However, the much-sold children’s watch from a manufacturer in Shenzhen reveals potential attackers the exact position data of more than 5,000 children around the globe. It also allows you to listen in and manipulate confidential conversations and other information, proving that masses of cheap Chinese-made IoT devices are failing to meet minimum IT security or privacy standards.
Children’s watch expose Anna
In addition to image, name and registered address data, the retrievable data also reveal the IMEI of the modem of the clock as well as real-time coordinates, which can be located and displayed very easily and accurately via Google Maps, for example. Through simple brute-force attacks on the unprotected Web API, the corresponding records of all registered users can be found out.
App helps locate foreign children
But that’s not all: A config file in the smartphone app directory can be used to transfer any account with the data available via the Web API. For this it is sufficient to put the determined user IDs in the config file of the app. When the application is started, the app then automatically logs into the ID belonging to the account without requiring authentication. Not even a query of user e-mail and password is provided for such cases by the app or the mechanisms envisaged does not work. But even if, this hurdle could easily be avoided, because even this data is freely available to anyone through the vulnerability of the Web API.
Conclusion: AV-TEST warns about SMA-M2 watch!
In summary, it can be said about the SMA children’s watch: The Chinese children’s watch is anything but a product for the protection of children but on the contrary a real danger! It offers potential attackers the ability to identify the location of more than 5,000 children and access data from over 10,000 parent accounts. Attackers are given access to sensitive personal information, including the name of parents, the name and image of the child, names and numbers of relatives and acquaintances in the phone book that can be used in the event of possible contact with the child. And precisely this danger threatens through the unprotected access to data for real-time position determination and the possibility of direct contact by phone call and voice message. At the same time, legitimate users, such as the parents, can be locked out of the account and thus prevents effective help in an case of emergency.