Researchers looked into the security of four popular children’s smartwatches and discovered pre-installed downloaders, weak passwords, and data flows that were not encrypted.
According to the findings, most of these gadgets capture sensitive data at random and send it to distant servers on a regular basis without the user’s knowledge.
This is concerning because these devices are rapidly gaining in popularity, with parents purchasing them to track their children’s whereabouts and activities.
The Elari Kidphone 4G, Wokka Lokka Q50, Elari FixiTime Lite, and Smart Baby were all investigated by the Dr. Web antivirus team.
These are all Android-based smartwatches that are extremely popular in Russia, and their prices range from low to high.
Dr.Web discovered three hidden modules in the Elari Kidphone 4G smartwatch that transfer data to a central place and receive remote orders.
This communication occurs every eight hours by default, but it can easily be changed to a different interval.
SIM card information, geolocation data, device information, phonebook contacts, installed apps list, SMS count, and phone call history are among the data sent.
Dr. Web is concerned that the Elari Kidphone 4G’s secret modules could be used to install dangerous apps, download, install, launch, or uninstall programmes, and display adverts without the owners’ knowledge.
The Wokka Lokka Q50, which costs around $15 and is popular as a nearly throwaway item, is the most affordable option.
The researchers determined, however, that the watch’s default password (‘123456’) is weak, and that all data sent between it and the Russia-based server is unencrypted.
This makes man-in-the-middle assaults relatively easy to carry out, allowing threat actors to send SMS requests for GPS location, listen in on the wearer’s surroundings remotely, or even change the C&C server IP to one they control completely.