EU Recalls Children's Smartwatch That Leaks Location Data

UPDATE

The European Commission has issued a recall for a popular smartwatch for children, citing “serious” privacy issues that could allow a bad actor to track or communicate with kids remotely.

The issues exist in Safe-KID-One, an IoT watch made by German company Enox Group that allows parents to surveil their children using a GPS map on a complementary smartphone app. However, this mobile app accompanying the watch has unencrypted communications with its backend server – enabling unauthenticated access to data, according to the EU.

“As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed,” according to the January recall. “A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.”

Click to Expand.

The watch also fails to comply with the Radio Equipment Directive, a regulatory framework that requires technical features in radio equipment for the protection of privacy, personal data and against fraud.

The EU urged distributors of the Safe-KID-One to recall the product from end users. The alert was submitted by Iceland.

According to Bernieri Christian, CEO of Bernieri Consulting, it’s the first Rapid Alert for dangerous products related to data protection and privacy.

“I’m very happy to see #dangerous #products withdrawn from the market due to lack of data protection,” he said in a tweet. “It is the very first time. I hope that the monitoring system will keep on focusing on data protection.”

> 1/4 This is huge!! As far as I know, the UE has issued the FIRST Rapid Alert (#RAPEX) for dangerous products that may be related to data protection and #Privacy.
This drive me crazy: the product is a smartwatch for MONITORING KIDS (#ENOX SAFE KID ONE with GSM and GPS integrated) pic.twitter.com/huFsSxDrOp
>
> — Bernieri Christian (@prevenzione) February 1, 2019

The Safe-KID-One is one of many smart watches offered by Enox Group, including health smart bands and another kid’s model watch (Safe-KID-Two).

When contacted by Threatpost, Ole Anton Bieltved, the CEO and president of the Enox Group, said the Safe-KID-One was tested by Bundenetzagentur (also known as the Federal Network Agency, the German regulatory office of the German Federal Ministry of Economics and Technology) in 2018 and had passed regulatory tests.

Click to Expand.

“In December 2018 we got the…confirmation from them, that the watch had passed their test,” Ole Anton Bieltved told Threatpost via email. “This RAPEX announcement bases on a test in Iceland. We think this test was excessive – not reasonable, material or fair – or, based on a misunderstanding or the wrong product. We also think that the test conclusion of the Bundesnetzagentur is sufficient and rules.”

The smartwatch has not been distributed in the U.S. or the U.K., he told Threatpost.

“Our customer in Iceland has made a strong protest against this test conclusion in Iceland, based on the approval of the product in Germany, and they have appealed to the authorities in charge with the demand, that this test conclusion would be reversed,” he said.

When reached out to, the Federal Network Agency told Threatpost that the information currently available in the [Rapid Alert] procedure “is not sufficient for a final assessment.”

“The Federal Network Agency is therefore investigating the facts of the case,” the spokesperson told Threatpost. “A decision on possible subsequent measures will be taken after a complete evaluation of the facts.”

Smart Watch Issues

While IoT device security issues are nothing new to the infosec community, children’s connected smartwatches privacy problems are viewed as particularly insidious.

Click to Expand.

Researchers at Pen Test Partners recently found that the Gator kids’ GPS-tracking watches were exposing sensitive data involving 35,000 children — including their location, in real time. In November, The Misafes “Kids Watcher” GPS watch was found to have vulnerabilities that translate into a stalker or pedophile’s ideal toolset.

And it’s not just smartwatches: After CloudPets connected teddy bears were found to have exposed 2.2 million voice recordings between parents and their children in a significant data breach, Amazon, Target and Walmart have pulled the toys from their online markets. Genesis Toys’ My Friend Cayla doll (which was banned in Germany) and Mattel’s Hello Barbie doll have also undergone major security issues.

The Federal Trade Commission (FTC) for its part in a June statement warned that poorly secured IoT devices could pose a consumer safety hazard and outlined ways to mitigate such risks.

Last January, the FTC announced its first settlement that involved IoT-connected toys. The FTC alleged that an app used with some of VTech’s toys gathered personal data from hundreds of thousands of children. As part of the settlement, VTech agreed to pay $650,000.

As for the Safe-Kid-One recall, “it’s a positive step in the right direction for IoT regulation, and we welcome it, however until devices are required to have an independent security assessment before they are released, we’ll continue to see millions of vulnerable devices on the market,” Alan Monie, researcher with Pen Test Partners, told Threatpost. “Without stricter regulation, market forces will continue to triumph over the safety of children in all but the most astute companies.”

This article was updated on Feb. 5 at 11 AM with a statement from the German Federal Network Agency.