With the growing ubiquity of smart technology, children are, from a younger age than ever, adept at using many forms of consumer tech, from tablets to smart phones and speakers.
In recent years, this has seen a surge in the children’s smart watch market. According to Abacus, more smartwatches designed for children were sold in 2018 in China than those marketed at adults.
Although these devices may offer parents peace of mind, providing them with a smart phone alternative for keeping in contact with their offspring, they may come with hidden security vulnerabilities.
Verdict spoke to Deral Heiland, IoT lead at cybersecurity firm Rapid7, to find out how devices intended to keep children safe may in fact expose them to risks posed by hackers.
Reports of Internet of Things device vulnerabilities are not uncommon, with stories of hackable smart home security cameras or smart doorbells frequently hitting the headlines. Although these scenarios are alarming, for devices marketed specifically at children, this takes an even more sinister turn.
Those from the cybersecurity industry have warned that some smart devices, including children’s smart watches, may contain security flaws that make them easy to hack.
Research by Rapid7, which examined three children’s GPS-enabled smart watch models, revealed that a lack of functional SMS filtering may make it easy for attackers to take advantage of vulnerabilities.
A public service announcement issued by the FBI in 2017 warned that a lack of encryption in many internet-connected toys “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed”.
Business Insider also recently reported that “cheap smart watches designed for children” were available on Amazon for as little as $20 that have “critical flaws that could let strangers track and talk to the kids wearing the smartwatches”.
Many devices contain security flaws
Rapid7 has conducted research in this area, and Heiland explains the key security issues that were uncovered:
“There were two things that we determined. There’s this function called SMS filtering. These watches are controlled and configured using text messages, SMS message, and there’s a function supposedly configured into the watch where I can set it up and say ‘I only want you to allow connectivity SMS wise from this phone number’. And our testers tried that on two of the devices and it did not work. Anyone can still send text messages to the device, control it, and potentially manipulate the device. And also on top of that, using a phone number as a filter, since there’s so many ways of actually spoofing those numbers, can be problematic.”
He believes that if default passwords are not changed, further security issues arise. This is a common area of weakness for smart devices, with many device owners never changing passwords. In fact, researchers at Ben-Gurion University were able to discover default passwords for many devices via a Google search in under 30 minutes :
“The second one was a default password. And it’s common for IoT technology to come out of the box with a some form of default password. In this case, it’s 123456, which seems to be a common one on the style of devices. But the documentation and the methods and information on how to change that was very aloof. The ability to identify and change it or tell people to change it or force them to change it during the initial device setup was non-existent. And that in itself becomes a security issue.”
Heiland explains that a common issue when it comes to this type of device is a lack of awareness among consumers about what they are buying. So-called “white label” products may lack the security features of more well-known brands. Such devices may be manufactured in locations with weaker privacy or security standards, or may mean that any vulnerabilities are left unpatched:
“A common issue across a number of IoT technologies, not just smart watches, and that is white label products. White label products are ones that are manufactured, they have no branding, anyone can purchase them and throw their own branding on them…Which makes it problematic when you actually want to report issues.
“Often the people rebranding them don’t know anything about the [devices], or how they work, or how to maintain them. They’re just acting as resellers of this technology. The manufacturers often in these cases just produce a mass number of these things, sell them off and they never patch them or upgrade them, which is a common problem across white label products. “
“The parent needs to pay attention to the functionality of the watch”
Verdict has previously reported that a model of watch from Chinese manufacturer contained a vulnerability that could potentially enable an attacker to learn the GPS location of the wearer. This was due to an “unsecured online interface of the manufacturer server” that left the records of all registered users exposed.
“A number of these technologies also have what they call real-time tracking. So they have cloud services also. In the particular case of the watches, we looked at the cloud services which from initial testing appear to be fairly solid in the fact that it wasn’t possible for me to go into those and easily enumerate someone else’s children’s watch,” says Heiland. “But on the same aspect, it’s common for some of these low-end devices to be reregistered to multiple people. So if I can get the EIMI number off one of these children smartwatches I can often go register it under my name and then automatically start tracking the child.”
As part of its Secure by Design review last year, the UK Government urged manufacturers of IoT devices to ensure that security measures are an integral part of the manufacturing process. But what can the parents of children with smart watches do to ensure that devices do not cause unnecessary risk?
Heiland’s advice for IoT technology echoes that of many in the industry when it comes to good cyber practices:
“Sticking with branded devices, you’re going to get, for the most part, a better back end security model that facilitates keeping the devices patched and updated and upgraded and secure, because they have a brand to protect. The second one is, anytime you’re purchasing, specifically a smartwatch, I think the parent needs to pay attention to the functionality of the watch. Are they comfortable with those functions and those function is being on their child’s watch? That can be everything from being able to call into the device, to be able to call out. Does the thing have a camera? Can a camera be remotely triggered? can audio be remotely triggered on the device?
“Also anytime you get a device, first thing you want to do is you want to change the default passwords on it. You want to make sure that you’re using a fairly complex password that isn’t easily guessable. So you don’t want the the child’s name as the password or something like that..and you want to make sure you don’t reuse passwords.”
When it comes to smart devices specifically, he warns of the dangers of tampering with devices:
“Use the technology the way it was intended to be used. For example if you if you have smart lighting systems, or smart home automation systems that you don’t expose them directly to the internet. I’ve seen that done a number of times, someone gets a smart camera, they put it up on the internet. The smart camera has local access but doesn’t have necessarily cloud service access. So they immediately make it available on the internet so they can get to the device remotely from anywhere.”
Thankfully, explains Heiland, many vulnerabilities in devices such as smart watches are uncovered by researchers rather than malicious actors, highlighting the need for investment and cooperation in this area:
“We often hear a lot of stories, a lot of horrible stories, about IoT technology, mainly around vulnerabilities, all these vulnerabilities being found. But the one thing to think about is most of those vulnerabilities, 99% or higher, are actually being found by researchers like me, and the people that I work with. That is a positive note…And when we work with vendors that are more proactive around security, these problems are being fixed even well before information is being published about the vulnerability.”