Researchers at the IoT laboratory at the AV-TEST Institute have warned that the SMA-WATCH-M2, a children’s smart watch with a GPS tracker, contains serious vulnerabilities that could expose the data and location of thousands of children around the world.

The smart watch, which allows the child’s parents to send messages and make voice calls, as well as seeing their location, is manufactured by Chinese company Shenzhen Smart Care Technology (SMA).

AV-TEST researchers discovered that the smart watch, made in Shenzhen in China, could allow hackers to “listen in and manipulate confidential conversations and other information”.

“Tops the security failures of other manufacturers by far”

A blog post, written by Maik Morgenstern, CTO at AV-TEST, describes how the real-time location of 5000 children in various countries around the world, as well as name, address, age and images were left unprotected on the manufacturer’s server.

The vulnerability has occurred due to an “unsecured online interface of the manufacturer server”, from which unencrypted ongoing communications can be accessed without authentication.

Using the unprotected Web API “the corresponding records of all registered users can be found out”, according to Morgenstern, with data from users in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands and China accessible to attackers.

As well as this, another worrying smart watch vulnerability was discovered. A config file in the smartphone app directory means that attackers who have downloaded the app could easily link their own device to a child’s smart watch without needing to enter an e-mail or password.

Morgenstern said that this smart watch vulnerability “tops the security failures of other manufacturers by far” and this incident highlights that “masses of cheap Chinese-made IoT devices are failing to meet minimum IT security or privacy standards” .

According to AV Test, the manufacturer was informed of the vulnerability, but the data was still available as of last week. However, German distributor Pearl has ceased selling the watch.

The “growing attraction to APIs” by attackers

Terry Ray, Senior Vice President and Fellow at Imperva believes that this smart watch vulnerability highlights the use of public-facing APIs as a threat vector:

“Collection of personal data isn’t new nor is the exposure of such data. What makes this exposure interesting is the use of a public facing API to access the data. Gartner noted recently that public facing APIs will be the most frequent threat vector by 2022 and this is great example of the growing attraction to APIs. APIs are broadly used in modern applications, often change frequently, sometimes daily, and will continue to grow in their use throughout every major industry.

“The other issue with APIs is the internal trust model companies use to allow communication between company owned components and internal data storage. Most companies today, trust the API user to access all approved data behind it.  This type of implicit trust means that when an API is breached, so is the implicit trust to the sensitive data behind that API.  Often times, companies even forego monitoring of application and API data access, because they assume that data access is secure and trusted, when in fact, this data is actually both sensitive and at risk through such vulnerabilities or misconfigurations.

3 Things That Will Change the World Today

He believes that a greater awareness of possible vulnerabilities is essential:

“For the personal consumer, it’s hard to know which company you can trust with your data. This isn’t any easier today than it was in recent years past.  Consumers should demonstrate their need for data security through their purchasing decisions, and purchase from companies with effective track records of protecting personal consumer data.”


Read more: Child-tracking smartwatch recall shows why IoT security shouldn’t be an afterthought.