The European Union (EU) issued a recall for a popular children’s smartwatch due to ‘serious’ privacy issues. The watch, Safe-KID-One, made by German company Enox, allows malicious actors to easily track and communicate with children wearing the device.
Safe-KID-One, a smartwatch made specifically for parents to monitor and track their kids through an Android mobile app. The watch comes with a built in GPS tracker, built in microphone/speaker, and ability to text and call.
The alert was issued by Iceland who said the device did not comply with the Radio Equipment Directive. This framework requires all devices using radio signals to protect privacy and personal data of customers.
The EU authorities cited the issues in a RAPEX alert in January saying:
“The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data. As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and change. A malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.”
After the recall was announced Christian Bernieri, an Italian data protection expert, found that ENOX works with a third party, a chinese developer, who is in control of the Android App associated with the watch. The developers do not give any information on their privacy policy. Instead, they provide a link on the Play Store app to their LinkedIn page.
ENOX responded to recall stating the tests were
‘excessive-not reasonable, material, or fair- or, based on a misunderstanding or the wrong product’.
Instead, ENOX has appealed the recall saying that they followed all necessary regulatory standards in Germany and passed all tests.
Smartwatch distributors need to focus on privacy, especially on products for children. Any unsecured IOT device marketed towards children is open for stalkers or pedophiles to use in a malicious manner. Security researchers at Pen Test, found Gator kids GPS-tracking watches were exposing private data of 35,000 children. In another incident, a connected teddy bear: CloudPets, was pulled from shelves when data breach exposed 2.2 million voice recordings of parents and children.
Image credits: ENOX Group
Contact LIFARS today for security advisory solutions.
