A device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device for bad actors.

Researchers at the AV-Test Institute have uncovered privacy and security holes in the SMA-WATCH-M2 smartwatch that is designed to keep children safe and their parents feeling secure about their offspring.

The researchers were able to piece together a snapshot of the life and daily habits of a randomly selected 10-year-old child named Anna from Germany. Among other data, the Chinese-made device exposed the girl’s age, place of residence, where she spends most of her day, and the routes she takes. The researchers could even access the sound messages that were transmitted to her device. And that’s still not all – they were even able to monitor Anna’s real-time GPS position.

The team said it could gain access to the location, phone number, photos and conversations of well over 5,000 children, and was quick to note the number of affected users might, in fact, be far higher.

In addition to communication with the manufacturer’s server being unencrypted, the online interface of the manufacturer’s server was completely unsecured, leaving it entirely open to external unauthorized access. Although an authorization token was generated to prevent unauthorized access, the server does not check it. Which essentially means anyone with enough “hacking” skills should have no problem in accessing user IDs. This allows potential attackers to have the same access that a parent would have.

This lapse in security was found to affect users in Germany, Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands, and China. There is a possibility that the number of affected people may be well over the previously estimated 5,000.