#WatchOut - Serious vulnerabilities in smart watches for children

In October 2017, the Norwegian Consumer Council (Forbrukerrådet) and mnemonic published the #WatchOut campaign, revealing severe security flaws in smart GPS watches marketed towards children and parents. Among other things, it was shown that it was possible for an unauthorized party to:

• take control of the watch through the companion app,
• eavesdrop on and communicate with the child without the parent knowing,
• track the child's movements, and also make it look like the child is somewhere he or she is not,

In some cases, user-generated data was also being insecurely transmitted and stored. In one case, data such as voice messages was found stored on an unprotected cloud server.

#WatchOut had a global spread and impact. It received coverage all over the world in outlets like the BBC, CBS, Good Morning America, Business Insider, The Telegraph, and Newsweek. This led to complaints being filed towards the US Federal Trade Commission (FTC), and some retailers pulling the devices from their shelves. It has also lead to smart watch vendors making extensive changes to their products.

Harrison Sand and Tor E. Bjørstad from mnemonic will go deeper into the technical details of the #WatchOut research and analysis, and how the technical assessments were carried out.

We will also discuss events in the aftermath of the campaign, concerns relating to vulnerability disclosure, and our general concerns related to securing the Internet of Things.

Links:
https://www.forbrukerradet.no/side/significant-security-flaws-in-smartwatches-for-children
https://www.forbrukerradet.no/side/critical-security-flaws-remain-in-smartwatches-for-kids/
https://www.mnemonic.no/watchout