Cory Doctorow #BLM+ Your Authors @doctorow Pre-order the audio- and e-book for ATTACK SURFACE, the third Little Brother book, on my first-ever Kickstarter: Sep. 10, 2020 1 min read + Your Authors

When it comes to the security defects in kids' smart watches: "Once is happenstance. Twice is coincidence. The third time it's enemy action." For years, these tracking-cuffs have been the locus of awful security scandals. Now it's happened again. 


Some background: in 2017, the Norwegian @Forbrukerradet audited 4 brands of kids' smart watch and revealed that strangers could monitor children's movements and see where they've gone, covertly listen in on them, and steal their personal information.


The watches gathered copious amount of data and sent it, in the clear, to offshore servers. The watches incorporate cameras and the photos children take were also easily plundered by hackers. 


A year later, @PenTestPartners audited the popular MiSafes watches for 3-12 year olds were also insecure, and could be used as covert listening and tracking devices, and even to alert attackers when a target child was nearby. 


Six months after that, Pen Test followed up to test the manufactuer's claims that they'd fixed these defects.

They hadn't. 


After two years of this nonsense, the EU started to recall some of these watches. 


But it's been a year since that happened, and guess what? The watches are still flaming garbage that you strap to your kids' wrists. Writing in @wired, @a_greenberg reports on a Münster University of Applied Sciences paper analyzing the watches. 


Tldr: the paper is called "STALK."

The watches could be attacked to

* get kids' locations

* send voice and text messages to children that appear to come from their parents

* intercept communications between parents and children

* as listening bugs


The manufacturers were informed of all this in April, and they didn't fix it.

It's not like these are subtle errors. The watches have no authentication, no encryption, and can be tracked with their SIMs' IMEIs.


The backend servers are vulnerable to SQL injections.

"When WIRED asked Schinzel if three years of security analyses gave him the confidence to put these smartwatches on his own children, he answered without hesitation: 'Definitely not.'"



Cryteria (modified) 


You can follow @doctorow.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.

Follow Threader