Security researchers have found a series of children’s smartwatches sold on Amazon with serious vulnerabilities. The researchers warn that potential hackers could use these security vulnerabilities to take over devices and track children and even talk to them.
Security firm Rapid7 has revealed security flaws in three children’s smartwatches sold on Amazon, Duiwoim, Jsbaby and Smarturtle, for less than $40. They are used as tracking devices to track children and allow parents to send messages or make phone calls to their children.
But Rapid7’s security researchers found that it wasn’t just parents who kept in touch with children wearing watches, because their built-in filters would have allowed only white-listed phone numbers to contact the watch, but Rapid7 found that the filter didn’t work at all.
The watches also receive configuration commands via text message, which means potential hackers can change the settings on the watch, putting the child at risk. The researchers say all three watches use the same software, so the vulnerabilities in all three will spread across the board.
Rapid7 researchers also found that the default passwords for the three smartwatches were identical, all of which were 123456. Rapid7 says people are less likely to change the password, and the device won’t even tell the user how the password exists or how to change it. With this simple password and the ability to change configuration via text message, potential hackers could take over devices and track children and even pair smartwatches with their phones, the researchers warned.
Another obvious flaw found by Rapid7 was that it was impossible to contact the manufacturer of the three smartwatches. Rapid7 researchers have no way to contact the manufacturer and are concerned that the vulnerabilities will not be resolved. Amazon has not yet responded to a request for the three children’s smartwatches from its store.