Kids' smartwatches sold on Amazon can be hacked
Thinking of gifting your kids a smartwatch this holiday season? You might want to check that list again. Smartwatches for children that were purchased on Amazon are vulnerable to hackers, allowing them to track and even communicate with children, according to cybersecurity research firm Rapid7.
Although there are dozens of smartwatches geared to kids, researchers randomly chose three devices on which to focus: Children's SmartWatch, G36 Children's Smartwatch and SmarTurtles Kid's Smartwatch.
The brightly hued watches let parents monitor children's whereabouts as well as eavesdrop on them through the built-in camera and microphone.
"Our smartwatch for kids has a remote camera and voice monitor that lets you know what your kid is doing any time of day," reads the description for one device. "Simply dial the number and the smartwatch for boys will automatically answer, letting you secretly watch and hear what your kid is doing."
But while the ability to track their children may give parents ease of mind, analysts discovered the devices are poorly secured. Hackers who are able to figure out the watches' default passwords, typically a six-figure numerical pin that reads "123456," can easily access the phones to configure settings so they are the ones able to eavesdrop on users.
Making matters worse is that the devices lack clear instructions for changing passwords, according to Rapid7.
The smartwatches also come with "filters" so that, in theory, only parents' phone numbers can be used to communicate with the devices and configure settings, like toggling the "SOS" alarm button on or off. But researchers said the security measure was faulty.
"The filter was not working," Deral Heiland, the Internet of Things research lead at Rapid7, told CBS MoneyWatch. "Literally, any stranger could communicate with a smartwatch."
Apart from the watches' weak security, researchers also pointed out the lack of transparency from "white label" vendors that put their logos on products that originated from separate services. Researchers found that many smartwatches, listed on Amazon under different storefronts, actually came from the same manufacturer in China, which could explain why the devices have similar security issues.
Researchers found that two of the three brands did not operate separate websites for their devices, and none of the three listed privacy policies.
As a solution, Rapid7 urged parents to purchase smart devices that come from recognized brands with clearly disclosed privacy policies.
"Security problems are going to come up," Heiland said. "They're not uncommon. But companies that have a brand to protect have better policies around patching and technology, so that when researchers like us do find something, those companies are more responsive to fixing things quickly."