Amazon sells children’s smartwatches that are so easy to hack strangers could track and talk to kids, security researchers say

The SmartTurtle Kid's Smartwatch is one of several generic smartwatches sold on Amazon that Rapid7 found to have serious security flaws.

caption
The SmartTurtle Kid’s Smartwatch is one of several generic smartwatches sold on Amazon that Rapid7 found to have serious security flaws.
source
Amazon
  • Amazon sells cheap smartwatches designed for children. The relatively low price tag, limited functionality, and ease of use compared to a smartphone make them tempting options for parents.
  • But researchers found that these smartwatches have critical flaws that could let strangers track and talk to the kids wearing them.
  • The cheap smartwatches sold on Amazon that were tested have incredibly weak security measures that could let pretty much anyone with the intent to obtain control of a kids’ smartwatch.
  • Parents’ best bet is to stick to recognizable brands, even if it means higher price tags.
  • Visit Business Insider’s homepage for more stories.

Cheap smartwatches sold on Amazon that range between $20 and $35 and are designed for children have critical flaws that could let strangers track and talk to the kids wearing the smartwatches, according to Boston-based cybersecurity researchers Rapid7.

“It is possible that an attacker with knowledge of the smart watch phone number could assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent),” Tod Beardsley, director of research at Rapid7, said in the report, which was earlier reported by Bloomberg.

These smartwatches come with GPS and voice chat functions, and their low price tags, limited functionality, and ease of use compared with smartphones make them popular options for parents who want to know where their children are or communicate with them without a smartphone.

But Rapid7’s findings showed that the security measures on the smartwatches were often ineffective, and many didn’t work at all.

One way a guardian can change a child’s smartwatch settings remotely is by sending a text message to the device. But to prevent strangers from changing the settings, a list can be set up of certain pre-approved numbers. But Rapid7 said that this security measure, a whitelist, was a “weak control, even in the best of circumstances.”

Rapid7 found that the whitelist had no effect on who could alter the smartwatch’s settings. Anyone, even those who weren’t on the pre-approved list, could send a text message to one of these smartwatches to change their settings.

“In practice, this filter did not appear to be functional at all,” Beardsley wrote, “unlisted numbers could also interact with the watch.”

The other flaw includes the smartwatch’s default passwords. Rapid7 found that the smartwatch’s manuals had little to no information on the default passwords and how to change them. As a result of this obstacle, users are unlikely to change the default password, which makes it easy for anyone who wanted access to the smartwatches to obtain control.

The smartwatches that were tested by Rapid7 included Children’s SmartWatch, Jsbaby Game Smart Watch, and SmarTurtle Kid’s Smartwatch. They all appear to be white-label rebrands, made by Chinese company 3G Electronics. Rapid7 only tested three of the wide variety of cheap children’s smartwatches sold on Amazon, so it’s possible that other models contain the same flaws.

The Children’s SmartWatch is still listed on Amazon, but it’s “currently unavailable.”

The Jsbaby Game Smart Watch is still available to buy on Amazon for $33.

The SmarTurtle Smart Watch for Kids is still being sold as used for $20.

Rapid7’s advice is to stick to “clearly identifiable vendors.” Essentially, if you don’t recognize the brand, don’t go for it.

The findings are another notch on Amazon’s record of questionable vetting practices for products listed on the site. Amazon and 3G Electronics did not immediately reply to Business Insider’s requests for comment.