Pen Test Partners’ initial research detailed security issues with the MiSafes device first launched three years ago. The idea, like all similar devices, is that it keeps track of the wearer’s movements at all times, reassuring parents.
However, hacking the watch is “well within the capability of an attacker with basic coding skills using only free tools,” the firm wrote.
Doing so will reportedly allow an attacker to change the device’s ID number and therefore access a user’s account, enabling them to locate and view a photo of the child; listen in to conversations between parents and their children; and call or message the child.
Attackers could also cause the watch SIM to dial premium rate numbers, potentially running up a huge bill.
“Our research was carried out on watches branded ‘Misafes kids watcher’ and appears to affect up to 30,000 watches. However, we discovered at least 53 other kids tracker watch brands that are affected by identical or near-identical security issues,” warned Pen Test Partners.
“So far, we have gathered data that indicates at least one million tracker watches in use today are affected.”
Aaron Zander, IT engineer at HackerOne, argued that until manufacturers are forced to build security into smart products from the start, consumers shouldn’t expect it to be included.
“So how do you purchase safe smart toys for your kids? You don’t,” he added.
“But if you must, don’t go for the cheapest options and try to minimize capabilities like video, Wi-Fi and Bluetooth. Also, if you do have a device and it does have a security flaw, reach out to your government representatives, write your regulating bodies, make a stink about it, it’s the only way it gets better.”