Experts from Doctor Web uncovered weak passwords, strange conduct, and unencrypted data flows in numerous kinds of children’s wearables that are popular in Russia. In return, these serious flaws can endanger the privacy of its young users and expose their data in ways that are not intended.
The chosen models for the experiment include the ELARI KidPhone 4G, Wokka Lokka Q50, ELARI FixiTime Lite, and Smart Baby Watch Q19. All of these watches are vulnerable in some way.
The ELARI KidPhone 4G is the watch with the most issues. Three secret modules that send data and receive orders from a remote server have been identified within it. They communicate the user’s phone number, SIM card information, geolocation information, and device information.
They may receive instructions to download or uninstall apps and load web pages in exchange. The Dr web experts say these modules might be exploited to download malicious software or load aerialists.
Passwords and data communications that aren’t secure
The Wokka Lokka Q50 Smartwatch also has several security flaws. The data sent between the watch and the server is not secured, and the watch’s default password, “123456,” is highly vulnerable.
Attackers can gather information about the user or seize control of the watch via Man-in-the-middle attacks because of the security flaw identified. This also applies to the Smart Baby Watch Q19
The ELARI FixiTime Lite Smartwatch has the same issue with data being sent insecurely. Images and audio communications, for example, are delivered through HTTP and might be readily intercepted.
The researchers urge parents to be cautious while purchasing linked products for their children as their study focuses on specific watch models. Other watches may utilize the same software and firmware as the ones they investigated.