The Chinese SMA-WATCH-M2 was recently caught exposing personal data like location of over 5,000 children and their parents.
This watch works with a companion app that parents can download on their phone. They can use the app to track the kids’ location, make voice calls, and receive an alert if a child leaves their designated area. Maik Morgenstern, CEO and the Technical Director of AV-TEST said that this is one of the most insecure products on the market.
For example, the smartwatch’s server can be queried using a publicly-accessible web API. This is the server that connects the watch to the app. Any third-party can also easily substitute the authentication token with one of their own because the server doesn’t verify it. This means an attacker could use the API to collect user IDs and other data.
Or, an attacker could install the app on their own phone, change the user ID in the app’s configuration file, and pair the phone with a kid’s watch without needing the parent’s account login.
Most of the kids were located throughout Europe, in countries such as the Netherlands, Poland, Turkey, Germany, Spain, and Belgium, but the AV-TEST CEO says they’ve also found active smart watches in China, Hong Kong, and Mexico.
SMA has been contacted with these findings, but Mr. Morgenstern didn’t share how the company reacted, and noted the watch is still for sale.