The EU has recalled a smartwatch over concerns that a security flaw could let a malicious user locate children wearing the watch, highlighting the danger of manufacturers rushing internet-connected devices to market without paying due diligence to IoT security.
The recalled product is Safe-KID-One and is made by German electronics vendor ENOX. It is designed to help parents contact and locate their children, as well as providing an emergency call function.
The smartwatch recall was published last week in a RAPEX (Rapid Alert System for Non-Food Products) alert that was picked up by Dutch news site Tweakers.
The European Commission’s RAPEX alert stated:
“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed.
“A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.”
It added that the product does not comply with the EU’s Radio Equipment Directive, a regulatory framework that includes protecting privacy and personal data.
Smartwatch recall: “Businesses need to build security in at the core”
Cesar Cerrudo, CTO at ethical hacking company, IOActive, said that the smartwatch recall shows the dangers of rushing an IoT device to the market “without proper consideration of privacy”.
The global number of IoT devices currently stands at around 23 billion and is expected to rise to over 40 billion by 2022, according to Statista.
As the number of devices increases, so too does the scope for malicious actions – especially if security is not built in from the start.
“We are connecting more and more of these devices to the internet and manufacturers are really not applying due diligence, which in the long run will be really costly,” added Cerrudo.
“While they may get the upper hand in beating the competition to get products to market, they lose out in the long run.
“Fines and the reputational damage – and in this case product recalls – can have a huge impact on revenues and consumer trust. Businesses need to build security in at the core of their solution, during the design phase, not as an after-thought.”
In October last year, the UK government launched a voluntary code of practice to encourage manufacturers to improve the security of IoT devices.
“More than 420 million internet-connected devices are expected to be in use across the UK within the next three years, and these IoT ‘endpoint’ devices increasingly constitute the frontline of cybersecurity,” said George Brasher, managing director of HP Inc. UK, which was one of the first companies to sign up to the IoT Code of Practice.
“Today’s commercial products should be produced with security built-in not bolted on – not only designed to protect, but also to detect and self-heal from cyberattacks. That is why HP has joined forces with the UK Government on their Code of Practice for Consumer IoT Security, with the ambition to raise the bar in consumer IoT device security, starting with the connected printers we are all used to at home.”