Kids’ smart watches extremely vulnerable to being hacked, experts warn

Posted in Safety.

Security experts continue to find vulnerabilities in ‘smart’ products aimed at kids.

“Vulnerable to a security flaw”

A kids’ smart watch which received backing from the Queensland government has allegedly been found to be vulnerable to hacking by strangers.

The TicTocTrack watch was launched by Australian mum Karen Cantwell via her company iStaySafe Pty Ltd. Security experts say this product is worryingly easy to log into and manipulate remotely, apparently even if you don’t have the device passcode or legitimate permission to access it.

“An Australian company behind a GPS tracking smartwatch for children backed to the tune of $1 million by the Queensland government has been found to be vulnerable to a security flaw that computer security researchers say allowed them to track a child, make them appear in another location, call them, and listen to them – without any interaction from the user,” The Age reports.


From Gator Watch to TicTocTrack

The TicTocTrack Watch is actually a rebrand of the Chinese-manufactured Gator Watch –  available for purchase on Alibaba – but with brand new bespoke TicTocTrack software installed.

The original Gator Watches – and other smart products like this for kids – have had lots of security issues. You can read about those here. Germany has banned kids’ smart watches altogether because of privacy concerns.

Smart watches like the TicTocTrack have been appealing to parents because they seemed to provide a way for mums and dads to stay in touch with kids, without anyone else having access.

But this perceived benefit is now in doubt.


“I would never buy one of these watches for my children”

It appears that the new software installed on the TicTocTrack is less than optimal.

UK computer security researcher Ken Munro and Brisbane researcher Troy Hunt got in touch with TicTocTrack over the weekend to let the company know that their device was “trivial” to exploit and vulnerable to security breaches.

“Mr Hunt also filmed a video of his six-year-old daughter Elle using the watch as it was remotely accessed by an unauthorised third party, who spoke to her,” The Age reports.

“I would never buy one of these watches for my children,” Troy Hunt told The Age. “The only reason I bought this was to demonstrate the flaw. If I were a parent who bought one with the intention of using it I would return it and ask for a refund.”

He stressed that it was incredibly easy to log into one of these watches without legitimate authorisation.

“Never been a security breach”

 The Age reports that TicTocTrack emailed all users of their device on Monday, saying they would be shutting down their service temporarily but not confirming that their device had security vulnerability.

“To this day, there has never been a security breach that has lead to our customer’s personal data being used for malicious purposes,” Karen Cantwell stressed in a statement issued on Monday.  “Our team are constantly working to improve our software and make it as safe as possible for our users.”

Ken questions this, noting that the company would have no clue about any data breaches because the software they created for these watches had sub-par security. 

“They have NO IDEA if the data has been used or not. All that they can be certain of is that no-one other than us has reported that data has been exposed,” Ken wrote on his website.


Audit underway

iStaySafe say they are currently conducting a security audit of these watches and that that they are waiting on information from Ken Munro about the vulnerabilities he described.

Very detailed information about the origin of the TicTocTrack watch and how easy it was to hack into can be found on Ken’s website here.

Ken also explained exactly what these gaping holes in the TicTocTrack watches mean for families.


Easy to tamper with

“Anyone could discover the location of children using the watch,” Ken writes. “Anyone could tamper with that position data, making you think your children were safe whilst they were actually elsewhere. Anyone could cause false alarms by moving the reported position of your child. Anyone could silently listen to your child, or talk to your child through their smartwatch. They could listen to you silently too, if you were near the watch.”

That said, he noted that this business acted swiftly once they were alerted to the security flaw.

“They responded fast and took appropriate action. TicTocTrack should be commended for that,” Ken said.


Get more babyology straight to your inbox