[BreachExchange] EU Recalls Children’s Smartwatch That Leaks Location Data

Destry Winant destry at riskbasedsecurity.com
Wed Feb 6 10:05:26 EST 2019 

https://threatpost.com/eu-recalls-childrens-smartwatch-that-leaks-location-data/141511/

The European Commission has issued a recall for a popular smartwatch
for children, citing “serious” privacy issues that could allow a bad
actor to track or communicate with kids remotely.

The issues exist in Safe-KID-One, an IoT watch made by German company
Enox Group that allows parents to surveil their children using a GPS
map on a complementary smartphone app.  However, this mobile app
accompanying the watch has unencrypted communications with its backend
server – enabling unauthenticated access to data, according to the EU.

“As a consequence, the data such as location history, phone numbers,
serial number can easily be retrieved and changed,” according to the
January recall. “A malicious user can send commands to any watch
making it call another number of his choosing, can communicate with
the child wearing the device or locate the child through GPS.”

The watch also fails to comply with the Radio Equipment Directive, a
regulatory framework that requires technical features in radio
equipment for the protection of privacy, personal data and against
fraud.

The EU urged distributors of the Safe-KID-One to recall the product
from end users.  The alert was submitted by Iceland.

According to Bernieri Christian, CEO of Bernieri Consulting, it’s the
first Rapid Alert for dangerous products related to data protection
and privacy.

“I’m very happy to see #dangerous #products withdrawn from the market
due to lack of data protection,” he said in a tweet. “It is the very
first time. I hope that the monitoring system will keep on focusing on
data protection.”

The Safe-KID-One is one of many smart watches offered by Enox Group,
including health smart bands and another kid’s model watch
(Safe-KID-Two).

When contacted by Threatpost, Ole Anton Bieltved, the CEO and
president of the Enox Group, said the Safe-KID-One was tested by
Bundenetzagentur (also known as the Federal Network Agency, the German
regulatory office of the German Federal Ministry of Economics and
Technology) in 2018 and had passed regulatory tests.

“In December 2018 we got the…confirmation from them, that the watch
had passed their test,” Ole Anton Bieltved told Threatpost via email.
“This RAPEX announcement bases on a test in Iceland. We think this
test was excessive – not reasonable, material or fair – or, based on a
misunderstanding or the wrong product. We also think that the test
conclusion of the Bundesnetzagentur is sufficient and rules.”

The smartwatch has not been distributed in the U.S. or the U.K., he
told Threatpost.

“Our customer in Iceland has made a strong protest against this test
conclusion in Iceland, based on the approval of the product in
Germany, and they have appealed to the authorities in charge with the
demand, that this test conclusion would be reversed,” he said.

When reached out to, the Federal Network Agency told Threatpost that
the information currently available in the [Rapid Alert] procedure “is
not sufficient for a final assessment.”

“The Federal Network Agency is therefore investigating the facts of
the case,” the spokesperson told Threatpost. “A decision on possible
subsequent measures will be taken after a complete evaluation of the
facts.”

Smart Watch Issues

While IoT device security issues are nothing new to the infosec
community, children’s connected smartwatches privacy problems are
viewed as particularly insidious.

Researchers at Pen Test Partners recently found that the Gator kids’
GPS-tracking watches were exposing sensitive data involving 35,000
children — including their location, in real time. In November, The
Misafes “Kids Watcher” GPS watch was found to have vulnerabilities
that translate into a stalker or pedophile’s ideal toolset.

And it’s not just smartwatches: After CloudPets connected teddy bears
were found to have exposed 2.2 million voice recordings between
parents and their children in a significant data breach, Amazon,
Target and Walmart have pulled the toys from their online markets.
Genesis Toys’ My Friend Cayla doll (which was banned in Germany) and
Mattel’s Hello Barbie doll have also undergone major security issues.

The Federal Trade Commission (FTC) for its part in a June statement
warned that poorly secured IoT devices could pose a consumer safety
hazard and outlined ways to mitigate such risks.

Last January, the FTC announced its first settlement that involved
IoT-connected toys. The FTC alleged that an app used with some of
VTech’s toys  gathered personal data from hundreds of thousands of
children. As part of the settlement, VTech agreed to pay $650,000.

As for the Safe-Kid-One recall, “it’s a positive step in the right
direction for IoT regulation, and we welcome it, however until devices
are required to have an independent security assessment before they
are released, we’ll continue to see millions of vulnerable devices on
the market,” Alan Monie, researcher with Pen Test Partners, told
Threatpost. “Without stricter regulation, market forces will continue
to triumph over the safety of children in all but the most astute
companies.”

More information about the BreachExchange mailing list