Recently, it has been discovered that SMA-WATCH-M2, a smartwatch featuring a GPS tracker manufactured by a Chinese firm named Shenzhen Smart Care Technology has been found vulnerable in terms of data and location data and location security
SMA-WATCH-M2 smartwatch
Researchers at the IoT laboratory from the AV-TEST Institute revealed that the data of as much as 5000 children globally is at stake on the firm’s unencrypted servers which includes names, addresses, age, images and voice messages of these children.
In addition to the data being unencrypted, it can also be accessed unauthorizedly leaving little to do for someone looking to misuse such data.
Image credit: AV-TEST
Yet, there’s more to this ordeal. A configuration file found in the smartphone app directory could be used to obtain the data of any user ID the attacker enters without requiring any credentials whatsoever through the web API. As an example, one could also link their own app this way to a child’s app and assign themselves the status of a parent app accessing all the data of the child conveniently.
But wouldn’t the child know since they should naturally receive a notification when someone has connected to their account? Turns out, no, nada, it’s like they send out no notification so someone could deliberately misuse this silent access.
An interesting thing to note though is that public-facing APIs are being seen as a growing attack vector and are not really exclusive to these watchmakers. Such suggestions have been sprouted by numerous industry experts with a notable one being Imperva who elaborate on how “public-facing APIs are a key security concern because they are a direct vector to the sensitive data behind applications.”
It is noteworthy that AV researchers tested these flaws and identified the location of one of the SMA-WATCH-M2’s users (Anna) in Germany.
“Real-time GPS position data, which is sent by the children’s watch via the inserted SIM card, our test team found completely unencrypted on the servers of the Chinese provider SMA. As a result, our lab team not only knew where Anna was, but also knew her actual place of residence, the way to school and, of course, communication with her grandparents,” explained the blog post published by researchers.
The following heat map shows the exact current and real-time location of children to attackers which not only puts their personal data at risk but also poses a major threat to their physical safety.
Image credit: AV-TEST
To conclude, we’re seeing such vulnerabilities particularly because of a lack of regulatory compliance imposed on Chinese firms. According to AV, they even informed Shenzhen of this vulnerability but despite this, the issue still persists. They detailed this by stating,
“At the time of the last check by AV-TEST, 420 accounts with a German telephone number were still identifiable. Our engineers also came across a variety of accounts in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands and, of course, China.”
Hence as rightly pointed out by the researchers, “there is no GDPR-compliant privacy policy for the SMA children’s watch”, we strongly believe that this needs to change.
On the other hand, we have seen a German distributor named Pearl stops the selling of these watches in light of this. It’s time marketplaces like Amazon also took action and started removing products that are found vulnerable until they are fixed.
