Children's smartwatches, a really stupid idea
- 19 July, 2019 14:23
When it comes to tech as a parent I feel that we need to really think about our children’s safety, don’t make rash decisions based on unvalidated information that will leave us looking red-faced or our children in unsafe situations. Many smart devices are being created for use with our children that are a form of digital nanny. Smart teddies, baby monitors and smartwatches to mention a few, but these devices are bad for both security and privacy. I have discussed some of these items in my previous articles, but I want everyone to understand how bad some of these devices can be.
I have seen examples of devices being hacked and malicious actors holding the owners of them to a form of blackmail, watching and listening in on devices without the owners knowing anything about what was occurring. These devices are absolutely crazy, they are cheap, low-quality devices in most cases with minimal or sometimes no attempt for security. I don’t understand why people use them when they put you and your families at risk. We need to really think about these smart devices before rushing out and buying whatever the latest fad device is. Do some research, know what you are giving up (I am not talking about money here), know the risk, know what information the device collects from you.
Did you know that Amazon (I am sure the rest do it as well, they just haven’t been caught out yet) has people that listen to recordings from their smart assistants for so-called research to improve how the assistant functions. I am not sure I completely believe that but let’s pretend I do. Look I am not ignorant and I am sure that those reading this aren’t either, we all know that these devices record us and listen to everything we say, that's their job. It’s so they can respond when requested but I think that Amazon, Apple, Microsoft, Facebook, Google and all the other monstrosities that are tech companies these days need to be honest and forthright with what they are collecting.
It shouldn't be something that is dragged out of their dirty laundry for all the world to see when they are caught but something that they honestly say to their customers "Look we listen to some of your recorded conversations on our devices so that we can improve how Alexa works, are you okay with that?" hey maybe even have the opt-out option a little bit easier for customers to find, possibly even have a section that is clearly marked on the setup of the device that lets you opt-in or out and actually stick to it. If someone elects no, do not still record them anyway. Just my thoughts but I am getting a little off point here.
Let’s look at a whole other level of dangerous IoT devices, Children's smartwatches. These devices just scream danger to me, this may be the hacker side of me clawing to the surface, wanting to do my worst and bring these devices to their knees but I just can’t do it. These smart devices are strapped to children’s arms, a personal band that says, “kidnap me, I am right here”. I know you are all probably thinking wow Craig you are being a bit dramatic. Yes, I might be, but I want you all to think about the risks here and not just brush them off in the Australian way “She’ll be right”. This is our children we are talking about here so that just won’t cut it this time.
These devices use both mobile and GPS tracking services to monitor and communicate with your children. Any time you want to know what they are doing or check the tracking to know where they are, just open your app and there it is. If you can do this, don’t you think a malicious actor could as well? These are cheap devices with no real interest in security, so what is there to stop them? Many parents who will purchase these devices will think they are making their children more secure but in fact, you could well be doing the opposite.
Some smartwatches have what they call a geofencing option in which you can allocate a virtual boundary with GPS markers that is the defined safe zone for your child and if they venture out of that allocated area it can alert you to this infraction but many of these devices will not alert as they are designed to do when the device leaves the geofence. So, if you want this device to let you know when your child ventures too far from home it may let you know 8/10 times as it is designed to but what about those two occasions? (or more this is just a hypothetical). Honestly, if this was my child I would not be happy with an 80% success rate (100% percent or nothing in my opinion).
What about the GPS tracking function itself? I saw Troy Hunts talk at the AusCERT2019 conference (I mentioned this in my article about the conference), during his talk he told a story of when he allowed one of his colleagues to manipulate the GPS tracking of his daughters smartwatch (I don’t remember the specific device but that doesn’t really matter) via a flaw in the API call, the devices and its control application used unique identification numbers for the smart device. The problem was that you could modify the identification number you wanted to connect with and once you were authenticated it didn’t do any further checks (I think that is an Ooops moment on the manufacturers/designer’s behalf).
So, they then changed the code in the control app with an instant connection and control of Troy's daughter's smartwatch. This allowed them to move the GPS location from her playing tennis somewhere on the Gold coast where she was meant to be, to suddenly be out in the middle of the ocean. Obviously, if that was your child and you didn't have a friend who was telling you what they were doing this situation would be terrifying for a parent.
The same flaw that Troy discussed allowed for a malicious actor (not so much in Troy’s case) to also call the smartwatch and communicate directly with his daughter. This functionality is supposed to be locked down to just the parent's account, but this particular app and device have some serious security flaws which still might not have been fixed (I truly hope it has though).
I would like you to consider this a moment, a malicious actor knows where your child is, they can listen/communicate with them anytime they would like too. If they call your 7-8-year-old on this device, they will not question a malicious actor if they say mummy or daddy asked me to come to collect you for whatever reason they decide. They don’t have to say where they are (they already know that) and when they pick them up they can make you think they are on the other side of town or at home or anywhere they want you to think. This really sounds like a scary situation to me and I want people to really think about the dangers.
I hope that I have made you all consider the risks involved with these fancy kids GPS trackers and you will all take a step back to figure out if they are something that you are comfortable with for your children.
Look, I could talk about the risks on these devices for another 1000 words but you know what I am trying to say, do your research, don’t just leap and buy the next new toy. Consider the risks and go into them if you decide to do so with open eyes. You and your families will be much safer for it.
That's enough from me for this article but as always tell me what you think about these devices? Do you think I am being over dramatic, or should there be some sort of regulations introduced to ensure safety and quality standards are upheld? I want to know your opinion's, as we need to make this world of ours more secure together, it's not a battle we can fight alone.
Until Next time…