The watch has been found to expose its wearers to a high level of risk of being contacted and monitored by attackers.
The European Commission has issued a recall order for a smartwatch aimed at children due to concerns that it represents a serious risk for the privacy and security of its wearers.
The watch, called Safe-KID-One and marketed by German company ENOX Group, is sold as “a high-tech SIM/GPS safety and surveillance smart watch for kids”. It is fitted with a range of features, including a GPS tracker, a speaker and microphone, and calling and SMS functionalities.
According to the product sheet, parents can use the companion mobile app, available both for iPhones and Android-powered devices, to locate and follow their kids “almost to the meter”, as well as record and play back their movements over a given period of time. “You can draw up a ‘geographical fence’ around the kid, and, if it leaves this area, you will immediately be notified/warned,” reads the product sheet.
However, the European Commission has concluded that the security side of things leaves much to be desired, deeming the level of risk associated with the watch “serious”. The EU’s executive arm has found Safe-KID-One to be at odds with the EU’s Radio Equipment Directive, prompting it to enjoin public authorities across Europe to recall the product from end users.
“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. Consequently, the data such as location history, phone numbers, serial number can easily be retrieved and changed. A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS,” reads the recall order in the Rapid Alert System for Non-Food Products (RAPEX), a system used by EU and European Economic Area (EEA) countries for a quick exchange of information about dangerous non-food products.
ZDNet noted that this is the first time that EU authorities have issued a recall order for a product over privacy or security issues.
In response to the decision, an ENOX representative was quoted as saying by The Register that the company’s watch had passed a test by Germany’s Federal Network Agency. “This RAPEX announcement [is based] on a test in Iceland. We think this test was excessive – not reasonable, material or fair – or, based on a misunderstanding or the wrong product (a previous version of the product, which is not in the market anymore),” said the company.
At any rate, concerns over smart tech for kids have been raised, and acted on, before. For example, Germany introduced a blanket ban on smartwatches aimed at children in late 2017 due to worries that the gear can be used as spying devices. In June 2018, security and privacy concerns prompted major online retailers to stop selling a network-connected family of toys called CloudPets.
To learn a bit more about the privacy and security implications of wearables, you may want to read, for example, How secure is your smartwatch? or Wearables: where’s the security risk?
written by Tomas Foltyn, ESET We Live Security