Kids' Smart Watch Recalled Over Security Concerns

Written by

The European Commission is trying to recall a German-made children’s smart watch model over security concerns that hackers could communicate with or monitor the wearer.

It issued a recall notice under the Rapid Alert System for Non-Food Products (RAPEX), claiming the risk level is “serious.”

It says that the Safe-KID-One device produced by Hamburg-based Enox Group does not comply with the Radio Equipment Directive and all models should be recalled from end users.

“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed,” the RAPEX notice revealed.

“A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.”

IOActive CTO, Cesar Cerrudo, argued that this is another example of IoT devices being rushed to market without due diligence.

“While they may get the upper hand in beating the competition to get products to market, they lose out in the long run,” he added. “Fines and the reputational damage — and in this case product recalls — can have a huge impact on revenues and consumer trust. Businesses need to build security in at the core of their solution, during the design phase, not as an after-thought.”

The Safe-KID-One is just the latest in a long line of smart devices made for young people that has been found to have serious security and privacy vulnerabilities.

Over 800,000 user accounts and millions of voice conversations between parents and their kids were left exposed online after an issue at California-based CloudPets in 2017.

In the same year, German regulators urged parents not to buy the Cayla doll, warning that hackers could use an insecure Bluetooth device in the toy to listen and talk to the child playing with it.

In fact, UK consumer rights body Which? claimed to have found Bluetooth vulnerabilities in numerous connected smart toys, calling for such devices to be taken off the shelves.

“Connected toys are becoming increasingly popular, but as our investigation shows, anyone considering buying one should apply a level of caution,” argued MD of home products and services, Alex Neill, at the time. “Safety and security should be the absolute priority with any toy. If that can’t be guaranteed, then the products should not be sold.”

What’s hot on Infosecurity Magazine?