Security researchers discovered vulnerabilities in smartwatches for children that make it possible for strangers to override parental controls and track kids.

Cybersecurity firm Rapid7 Inc. identified vulnerabilities in a number of children's GPS-enabled smart watches under the guidance of the company's IoT Research Lead Deral Heiland. The researchers purchased three different brands of watches from Amazon: Children's SmartWatch, G36 Children's Smartwatch, and SmarTurtles Kid's Smartwatch. During the investigation, the researchers determined that all three products shared nearly identical hardware and software, so all of the described findings affect all three watches.

While only one of these issues is a technical vulnerability—the lack of functional SMS filtering—two other issues that the researchers identified were equally troubling: an undocumented default password used to associate with the devices, and a lack of transparency and communication with the retail vendors of these devices.

For two of the devices, the vendors appear to exist solely as Amazon storefronts, and any attempts to contact these vendors privately proved impossible. The third, SmarTurtles, does have an associated website, but there appears to be no mechanism to contact this vendor, nor is there a published privacy policy.

The lack of a privacy policy is especially troubling in this age of CCPA and GDPR, and doubly so when it comes to technology marketed to parents of small children.

All three models of GPS watches use either SETracker or SETracker2 as the backend cloud service and mobile application for the iPhone and Android platforms. Both versions of SETracker are provided by the developer "wcr." The application indexing service AppBrain indicates that wcr is the developer account associated with 3G Elec, a Chinese company based in Shenzhen. As far as the hardware is concerned, all three devices appear to be white-label rebrands of 3G Elec's offering.

None of the retail vendors were identifiable or contactable. While an email address was identified for 3G Elec, any attempts to contact and discuss these issues were foiled by technical issues with that email address.

Aside from the communications issues described above, two technical issues were uncovered across the three GPS smart watches:

The products under test have a SMS-based interface to view and change configuration details by texting the watch directly with certain commands. The documentation states that only certain configured numbers may communicate with the watch, and those numbers are entered on a whitelist on the associated mobile app. However, in practice, this filter did not appear to be functional at all—unlisted numbers could also interact with the watch.

Incidentally, SMS filtering is a weak control even in the best of circumstances, as this originating phone number is trivially spoofable, and is therefore not recommended as a security control.

So, armed with the knowledge of a watch's assigned phone number and the configuration password (see below), unauthenticated attackers can read and write configuration details, up to and including pairing the watch with the attacker's own smartphone.

The watches have a default configuration password of "123456" and each of the three watches under test treat this information differently. One manual does not mention the password at all, another mentions it in a translated blog about the product (but not in the printed material), and a third doesn't characterize the string as a password nor provides any instruction on how to change it.

Given an unchanged default password and a lack of SMS filtering, it is possible that an attacker with knowledge of the smart watch phone number could assume total control of the device, and therefore use the tracking and voice chat functionality with the same permissions as the legitimate user (typically, a parent).

Unfortunately, there does not appear to be any mechanism to address the SMS filtering issue without a vendor-supplied firmware update, and such an update is unlikely to materialize given that the provider of these devices are difficult to impossible to locate.

The researchers urge current users of these devices who wish to continue to use the device to investigate how to update the SMS control password.