The smartwatch SMA-WATCH-M2, which works as a GPS tracker via SIM card, is designed to protect children and give parents a secure feeling. However, the much-sold children’s watch from a manufacturer in Shenzhen reveals potential attackers the exact position data of more than 5,000 children around the globe. It also allows you to listen in and manipulate confidential conversations and other information, proving that masses of cheap Chinese-made IoT devices are failing to meet minimum IT security or privacy standards.

Children’s watch expose Anna

Unlike usual, this report does not start with technical information about a device tested in the IoT laboratory of the AV-TEST Institute, but with the story of a little girl. It is about Anna, a fourth grader from the city of Dortmund in Germany. She lives with her parents in the posh district Lücklemberg. But currently she is with her grandparents on vacation on the North Sea island of Norderney, because Anna’s parents have to work. Anna lives with her grandparents in a small guesthouse in the district Fischerhafen. And because grandma and grandpa are not so good on foot, Anna likes to do short hikes to the old harbor alone, because with a bit of luck you can watch gray seals from there. Mostly she goes after dinner at 2 o’clock with Grandpa’s binoculars and stays for about an hour on her lookout. Anna is allowed to make these hikes without grandma and grandpa, after all, she is already 10 years old and the island of Norderney is a manageable patch of earth.

Communication of thousands of children unprotected

You may be wondering why we tell you about Anna and how we are so familiar with the little girl’s private life. And so it becomes technical again, as you are used to it here. Because Anna is one of many children,that wears the children’s watch SMA -Watch-M2 of the Chinese manufacturer Shenzhen Smart Care Technology Ltd. (short SMA) on her wrist. We picked out Anna as much as we could have picked Ahmet from London or Pawel from Lublin in Poland. Of all these children, more than 5,000 in total, very private data such as name, address, age and images are left unprotected on the manufacturer’s server behind the children’s watch from Shenzen. At the same time, all voice messages transmitted via the clock are also to find here. Even worse: Real-time GPS position data, which is sent by the children’s watch via the inserted SIM card, our test team found completely unencrypted on the servers of the Chinese provider SMA. As a result, our lab team not only knew where Anna was, but also knew her actual place of residence, the way to school and, of course, communication with her grandparents.

The SMA-WATCH-M2 of the Chinese manufacturer SMA allows attackers to track over 5,000 children around the world due to serious security vulnerabilities.
The SMA-WATCH-M2 of the Chinese manufacturer SMA allows attackers to track over 5,000 children around the world due to serious security vulnerabilities.

 

Responsible Disclosure: Pearl takes watch off the shelf

As part of the review of children’s smartwatches, the engineers at our IoT lab have already found comprehensive reasons in the comparison test that militate against the use of tracker watches for children. But the Chinese SMA-WATCH-M2 tops the security failures of other manufacturers by far. This is one of the reasons why we granted one of the German suppliers Pearl, who provided us with the device called “TrackerID
Children’s smartwatch with GPS / GSM / WiFi tracking, SOS button, pink, IP65 “for testing purposes, one month to publish this article under the Responsible Disclosure procedure in order to contact the Chinese manufacturer and to fix the security issues reported by our IoT lab. In contrast to the Chinese manufacturer Pearl reacted exemplary and does not offer the children’s watch since the warning by the AV-TEST Institute. Manufacturers SMA, however, continues to sell the watch on a large scale via various distributors worldwide. And still the reported gaps in the online communication of the product gape. Last week’s review, it was still possible in our lab to access location data, phone numbers, pictures and conversations from more than 5,000 children.

This is possible via a completely unsecured online interface of the manufacturer server. Since ongoing communication is completely unencrypted and there is no functioning authentication. Although an authentication token is generated and sent to requests to the Web API to prevent unauthorized access, this token is not checked on the server side and is therefore inoperative. Thereafter, direct access to user IDs is possible, as shown in the following screenshot:

The unprotected Web API provides full access to the extensive IDs of registered users of the SMA-WATCH-M2. Included are names, addresses, pictures, phone numbers, current position data and much more.
The unprotected Web API provides full access to the extensive IDs of registered users of the SMA-WATCH-M2. Included are names, addresses, pictures, phone numbers, current position data and much more.

In addition to image, name and registered address data, the retrievable data also reveal the IMEI of the modem of the clock as well as real-time coordinates, which can be located and displayed very easily and accurately via Google Maps, for example. Through simple brute-force attacks on the unprotected Web API, the corresponding records of all registered users can be found out.

The positional data of the children's watch, which we intercepted via the Web API, show the exact position of the watch at the time of the test.
The position data of the children’s watch, which we intercepted via the Web API, show the exact position of the watch at the time of the test.

App helps locate foreign children

But that’s not all: A config file in the smartphone app directory can be used to transfer any account with the data available via the Web API. For this it is sufficient to put the determined user IDs in the config file of the app. When the application is started, the app then automatically logs into the ID belonging to the account without requiring authentication. Not even a query of user e-mail and password is provided for such cases by the app or the mechanisms envisaged does not work. But even if, this hurdle could easily be avoided, because even this data is freely available to anyone through the vulnerability of the Web API.

Accordingly, the app belonging to the Chinese children’s watch also provides attackers with the opportunity to conveniently access any account and, like the legitimate user, to use the full functionality of the parent app, including position determination, voice messages, telephony and all other functions. There is no warning message to other users of the app. And like the majority of Chinese IoT products currently flooding the European market, there is no GDPR-compliant privacy policy for the SMA children’s watch, just a Chinese version.


Conclusion: AV-TEST warns about SMA-M2 watch!

In summary, it can be said about the SMA children’s watch: The Chinese children’s watch is anything but a product for the protection of children but on the contrary a real danger! It offers potential attackers the ability to identify the location of more than 5,000 children and access data from over 10,000 parent accounts. Attackers are given access to sensitive personal information, including the name of parents, the name and image of the child, names and numbers of relatives and acquaintances in the phone book that can be used in the event of possible contact with the child. And precisely this danger threatens through the unprotected access to data for real-time position determination and the possibility of direct contact by phone call and voice message. At the same time, legitimate users, such as the parents, can be locked out of the account and thus prevents effective help in an case of emergency.

The heat map created in the test shows the current position of each children's watch of the Chinese manufacturer SMA and could lead potential attackers right up to the door of each child's home.
The heat map created in the test shows the current position of each children’s watch of the Chinese manufacturer SMA and could lead potential attackers right up to the door of each child’s home.
At the time of the last check by AV-TEST , in addition to Anna’s account, 420 accounts with a German telephone number were still identifiable. Our engineers also came across a variety of accounts in Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands and, of course, China. However, it is to be feared that the dangerous children’s watch, not least because of the competitive price of just under $ 30, is significantly more widespread. As in Germany, the SMA-M2 children’s watch is also distributed as a private brand by importers in other countries. Accordingly, it can be assumed that the number of endangered users is significantly higher. Accordingly, the AV-TEST Institute has not only warned the German distributor Pearl about the threats posed by the Chinese IoT product, but has also informed the Computer Emergency Response Team (CERT) of the Federal Office for Information Security (BSI).

Update (January 15, 2020)

After the AV-TEST Institute informed Pearl, the German supplier of the children’s watch, about the dangers, the supplier took immediate action, contacted the Chinese manufacturer SMA and initiated the patching of the following security leaks that were directly dangerous for users: a) Transmission of data by the “Easy Tracker” app when accessing the API of the manufacturer’s website in plain text, b) Disabling access to the website API without authentication, c) Possibility of transferring user accounts by manipulating the configuration file of the app.