The Chinese language SMA-WATCH-M2 was recently caught exposing private information like location of over 5,000 kids and their dad and mom.
This watch works with a companion app that folks can obtain on their telephone. They’ll use the app to trace the youngsters’ location, make voice calls, and obtain an alert if a toddler leaves their designated space. Maik Morgenstern, CEO and the Technical Director of AV-TEST stated that this is among the most insecure merchandise available on the market.
For instance, the smartwatch’s server might be queried utilizing a publicly-accessible net API. That is the server that connects the watch to the app. Any third-party can even simply substitute the authentication token with one in all their very own as a result of the server doesn’t confirm it. This implies an attacker may use the API to gather person IDs and different information.
Or, an attacker may set up the app on their very own telephone, change the person ID within the app’s configuration file, and pair the telephone with a child’s watch without having the mother or father’s account login.
Many of the youngsters had been positioned all through Europe, in nations such because the Netherlands, Poland, Turkey, Germany, Spain, and Belgium, however the AV-TEST CEO says they’ve additionally discovered energetic sensible watches in China, Hong Kong, and Mexico.
SMA has been contacted with these findings, however Mr. Morgenstern didn’t share how the corporate reacted, and famous the watch continues to be on the market.