back to article Hackers can track, spoof locations and listen in on kids' smartwatches

Tests on smartwatches for children by security firm Mnemonic and the Norwegian Consumer Council have revealed them to be riddled with flaws. The Oslo-based company teamed up with the trading standards body to investigate several smartwatches aimed at kids, specifically the Xplora (and associated mobile application Xplora T1), …

  1. Anonymous Coward
    Anonymous Coward

    Yawn

    There is no financial incentive for any firm to implement IoT security : therefore no security.

    El Reg have a story about this every other week but until there is an incentive for these firms to give a damn, they wont.

    We can all be appalled and say how bad it is, but no one cares... that is the world we live in.

    Wont someone think of the children? ... nah, they won't if there is a dollar to be made.

    1. John Smith 19 Gold badge
      Unhappy

      "here is no financial incentive for any firm to implement IoT security : "

      Actually there is.

      Because if enough people are aware just how unsafe any of this s**t is they will stop buying all of it.

      The smart move is not to trust any of it.

      When mfg start going out of business the smarter one might decide that perhaps some of there code monkeys should start doing something about this.

      1. Charles 9

        Re: "here is no financial incentive for any firm to implement IoT security : "

        No there isn't because the average person is too stupid to make the connection, and You Can't Fix Stupid. It has to be so blatantly obvious even an idiot can see it, such as these things leading to actual kidnappings.

        1. Naich

          Re: "here is no financial incentive for any firm to implement IoT security : "

          The sort of person who buys their kid a smartwatch for safety reasons is the sort of person who will go absolutely apeshit if they found out that it would be possible for paedophiles to hack them. All it needs is a few scare stories in the tabloids and people will be more wary of buying IoT crap.

        2. Chairo
          Unhappy

          Re: "here is no financial incentive for any firm to implement IoT security : "

          No there isn't because the average person is too stupid to make the connection, and You Can't Fix Stupid.

          Problem is - even relatively intelligent non-techie people have no clue about the risks of connected devices. They see the convenience and shrug away the risks.

          On a personal note - Last week wifey bought a creepy connected talking teddy for our toddler. I told her the thing is nothing else than an unsecured bluetooth headset connecting to a dodgy app. Anyone around can connect to it. The app can probably hacked as well and the Android tablet it runs on hasn't seen a security update for the last one and a half year.

          Wifey shrugged it away and meant that there is nothing interesting any listener could hear in our house, anyway. The depressing truth is - she is probably right.

          1. DropBear

            Re: "here is no financial incentive for any firm to implement IoT security : "

            Problem is, in the modern world advertising and media is not "based on" but instead CONSTITUTES the properties of any product for 99.99% of customers. Some of us happen to be knowledgeable enough to know better, yes. But everybody else hears "extra security for your kids!" on telly and they know this watch makes their kids extra secure (no doubt about that), then they read "your kids peddled to paedos by security watch" in a tabloid and they know their kids are in mortal peril (no doubt about that) whether any of that is actually the case or not.

            Which is not to say this stuff is not badly bugged (I'm sure it's plenty insecure) - but rather that most people don't stand much of a chance of making any determination more sophisticated that the above about most things in their lives. Reading up on things takes lots of time (which nobody has, especially regarding every single thing they might actually need to know about every single thing) and it is ultimately severely limited by not having profound expertise and experience in assorted background topics, the way commentards here tend to have a lifetime's worth of about IT.

            For instance, I don't believe there is any realistic amount of reading I could ever possibly do to gain a pertinent insight into the intricacies of protein folding - which might potentially be the key piece of information I might lack trying to make an informed decision on some topic related to, say, nutrition or health. We know why end-to-end encryption is fundamentally different than non-end-to-end, what https protects you against and what it does not and so on - the average punter (or mumsnet dweller) does not, never will, and never could. In the absence of a better and more objective source, they have no choice but remain the plaything of corporate ads and sensation-chasing rags...

        3. Trigonoceps occipitalis

          Re: "here is no financial incentive for any firm to implement IoT security : "

          @Charles 9

          "You Can't Fix Stupid"

          Parents do "think of the children", all the time. Screwing with their offsprings' security is the one thing that has any hope of pushing an IoT security agenda, and possibly fixing stupid (or rather ignorance).

  2. fidodogbreath
    Meh

    SIoTAFU

    The project found "significant security flaws, unreliable safety features and a lack of consumer protection" [...] Strangers can easily seize control of the [insert.device.names] and use them to track and eavesdrop on children due to a lack of encryption and other failings [...] He reported his findings in August to the manufacturer but has received no response to date.

    So, just another sunny day in IoT Paradise.

    Really, "security news" in the IoT space would be if someone ever sells a product that has any.

    1. Adrian 4

      Re: SIoTAFU

      Is this an IoT device ?

      Seems more like a mobile. When is a device IoT, or does any device on the internet qualify ?

      1. Francis Boyle Silver badge

        It's a thing

        and it's on the internet.

        More seriously, if it's not a conventional computing device (and I would count all smartphones as such) it presumably counts as an IoT device.

      2. DropBear

        Re: SIoTAFU

        It's kinda both. More or less it's a miniaturised mobile phone with GPS so it can alert / call a list of preconfigured contacts if the wearer presses the panic button, but it also maintains a data connection to a server and reports / can be queried about most of its settings and the travel log, so IoT is more or less justified too.

  3. Anonymous Coward
    Anonymous Coward

    Won't somebody think of the children!

    My simple mind really does struggle get itself round the concept of someone creating an app and device such as this without taking security into account at all. I just don't get it. Did they have a meeting when developing this and someone mentioned security only for someone else to say don't worry about it, it costs too much anyway?

    I think there needs to be regulation put into law for IoT tat before it's too late.

    1. Commswonk

      I think there needs to be regulation put into law for IoT tat before it's too late.

      Er... it's already too late.

  4. Anonymous Coward
    Anonymous Coward

    No worries, its not like...

    We live in Dystopian times with people that'd put this to evil uses...

  5. Anonymous Coward
    Joke

    These things ARE safer!

    Only problem is that no one bothered to wonder "Safer for who?".

    Welcome to modern day design: where you simply assume that others think about things in the exact same way as you do.

    1. Palpy
      Devil

      Re: These things ARE safer!

      Perhaps not "safer for who" but "safer than WHAT?"

      It's an old advertising dodge: "New RainbowWatch is now SAFER!" meaning it's safer than sending your child to play in a pond full of half-starved crocodiles. Same as "New Tide gets clothes cleaner" means it's cleaner than rubbing them in sheep's droppings.

  6. Anonymous Coward
    Anonymous Coward

    Rule 1

    NEVER buy electronic gadgets designed for kids. They will never be secure. Not that things intended for adults are secure, but at least there's generally more known about them.

    I mean we know security on Apple Watch and Android Wear isn't perfect, but at least there have never been any exploits found that allow using them as a bug or tracker!

    1. DuncanT

      Re: Rule 1

      "I mean we know security on Apple Watch and Android Wear isn't perfect, but at least there have never been any exploits found that allow using them as a bug or tracker!"

      Actually, with BlueBorne, android wear can be turned into a bug or tracking device...

  7. John Smith 19 Gold badge
    Unhappy

    Helping you keep an eye on your kids when you're not around.

    And by the sound of things the whole f**king internet can watch them as well. *

    I wonder if they are playing the VTech game of T&C that tell you all data sent at owners risk to their privacy etc etc.

    *So handy for the organized nonce planning their "cruising schedule" for them and their van.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like