These GPS watches put children’s lives at risk, researcher warns

Parents eager for the latest child-monitoring tech might want to do some research before picking the first item that jumps at them off the shelf. As one researcher has discovered, kids’ watches based on a specific API are seriously vulnerable to remote attacks, and could help bad actors trick children into a trap.

Alan Monie with Pen Test Partners was intrigued by his friends’ recent acquisition of a dirt cheap GPS watch for his child. For around £10, the Misafes Kids Watcher offered two-way calling (using a SIM card and cellular connection), the ability to see where the child was on the map, an SOS function, and more.

Monie was impressed, but felt that all this functionality might come at a serious cost if not secured properly. He was right. While similar watches require physical access to steal the IMEI code and hack them, this model can be hacked remotely without direct access to the gadget.

“I proxied the iOS app through Burp and could see that the traffic was not encrypted,” he writes. “Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children. Profile pictures, names, gender, date of birth, height, and weight all transmitted across the internet in cleartext.”

“These new attack vectors can not only be performed remotely (including capturing the IMEI remotely), but allow an attacker to build up a global picture of the location of all the children. Combined with caller ID spoofing, this attack becomes really nasty,” he adds.

Monie could see these details for any kid in the world using this particular smart watch. The hack was so efficient that a bad actor could use it to retrieve real-time GPS coordinates of the kids’ watches, call the child on the watch, create a covert one-way audio call and spy on the child, send audio messages to the child on the watch, and even impersonate the child’s parents via messages. The vulnerabilities are explained in detail in Monie’s blog post, here.

The worst news; both Monie and others (including the BBC) contacted the vendor to seek a comment, but Misafes has yet to respond.