This just cannot be said enough: every device that connects to the Internet in some way has the ability to be compromised. Where it’s particularly concerning is with devices that kids use. Anyone who has a child with an Xplora X4 Smartwatch should be concerned with this news that there is an undocumented backdoor included that, among everything else, takes snapshots.
Backdoor Found on Kids Smartwatch
While it sounds wonderful for your children to have a smartwatch of their own, remember that it connects to the Internet and can be compromised. The X4 by Xplora runs on Android, can make and receive calls to parent-approved numbers, send an SOS, send GPS notes of a child’s location, can be controlled by an app on a parent’s smartphone, etc. It sounds so safe.
However, this children’s smartwatch also includes an undisclosed backdoor that was found by researchers at Mnemonic, a Norwegian security company. The watch includes commands that will report the location, take photos that are sent to an Xplora server, and make a phone call that sends all sounds it can pick up.
Pre-installed apps on the watch are from the Qihoo 360 developer. The company was placed on a U.S. Commerce Department sanctions list in June because of ties to the Chinese government and a belief it’s likely to engage in “activities contrary to the national security or foreign policy interests of the United States.”
This means not only does this children’s smartwatch have capabilities to send information about your children to the company’s servers, but it’s also connected to a company in a country that is often blocked because of a record of spying hacks.
Patch to Be Released
However, the backdoor on the X4 smartwatch needed heroic efforts to be found. For anyone else to find it, they wouldn’t need the same but would need to know the phone number of the watch and a unique encryption key that is hardwired into each watch.
Xplora did release a statement that said they “take any potential security flaw extremely seriously.”
They discussed the efforts needed to access the backdoor on the smartwatch and added that no one involved in manufacturing would have access to the phone number attached to the smartwatch to duplicate the scenario discussed.
“Even if someone with physical access to the watch and the skill to send an encrypted SMS activates this potential flaw, the snapshot photo is only uploaded to Xplora’s server in Germany and is not accessible to third parties. The server is located in a highly-secure Amazon Web Services environment.”
Xplora goes on to say only two employees have access to the “secure database where customer information is stored.” But that may make you feel more or less secure.
Additionally, the issue the researchers discovered was “based on a snapshot feature included in initial prototype watches” to “be activated by parents after a child pushes an SOS emergency button. We removed the functionality for all commercial models due to privacy concerns. The researcher found some of the code was not completely eliminated from the firmware.”
Since Xplora was alerted about the backdoor, they have developed a patch, and it is available. They say the watch is not available in the United States. The Xplora website says it is available in the U.K., Germany, Spain, France and Poland.
But take this information about this children’s smartwatch backdoor exactly for what it is. It was intended to be on the watch but removed. At the very least, at one point the company was going to include the function, then removed it. And keep this information in mind if you decide to buy a children’s smartwatch from a different manufacturer as well. Know that it’s at least possible.
If you’d like more information on backdoors, follow along and read cryptographic backdoors explained.
Image Credit: Xplora
