back to article Up to three million kids' GPS watches can be tracked by parents... and any miscreant: Flaws spill pick-and-choose catalog for perverts

Parents could be unwittingly putting their children's safety and privacy at risk, thanks to security vulnerabilities in potentially millions of kids' GPS-tracker watches. These cheapo watches are supposed to be worn by the youngsters, and use SIM cards to connect to cellular networks. The idea is they beam to backend servers …

  1. doublelayer Silver badge

    To any children reading this

    If there is anyone reading this whose parents have so little trust as to plant a tracking device like those used to track criminals on them, I would like to suggest some ways to help you accidentally render your devices useless. If your parents buy another one after this ends, I'd suggest giving the same treatment to their phones. One good option is to see how waterproof these are. Try tripping and falling into a puddle, putting your hand out to catch yourself. See what happens. If that doesn't work, try abrading it by accidentally brushing against a brick wall. Assuming that fails too, we can always try to damage the watch band, which probably isn't that hard, and coincidentally be walking past a street grate when the band, crap as it is, disgorges its cargo. Let's keep thinking these up.

    1. Anonymous Coward
      Anonymous Coward

      Re: To any children reading this

      "If there is anyone reading this whose parents have so little trust as to plant a tracking device"

      It's safe to assume that the majority of kids wearing these cannot read.

      And not every kid develops in a standard way unfortunately, so sometimes standard parenting doesn't apply and devices like these are needed.

      1. Insert sadsack pun here

        Re: To any children reading this

        I doubt these watches are being given to run of the mill teenagers. But I bet a lot of them are being given to younger kids, kids who want to ride their bikes in the woods, kids who are autistic or have learning difficulties (and so get lost or run off frequently), kids whose parents have to arrange complex childcare (so you want to be able to see if they’re at granny’s house safely), kids whose deadbeat other parents keep breaching custody orders...and pets that get these on their collars because they’re cheap!

        I don’t think the world is full of kidnappers trying to steal my kids. I do think sometimes it would be useful to be able to see where they are without teaching or reminding them to pick up the bloody phone...

    2. DropBear

      Re: To any children reading this

      The exact same tech is also sold as "elderly care" wearables, with the same clear-text issues - except of course "think of the children" is so much more catchy...

      1. doublelayer Silver badge

        Re: To any children reading this

        You could do the same thing better with a phone in the sense that you'd have a location tracker and an effective means of communication. The part I have a problem with (all right, the part I have my biggest problem with) is the ability to turn on a microphone and place a bug on them. If you feel you need to do that to your child, you should probably not let your child go to wherever they went. I also feel that parents should really introduce their children to a world where privacy is recognized and respected. The privacy of children from their parents is necessarily limited, but without any, the child will learn to mistrust their parent.

        1. DropBear

          Re: To any children reading this

          @doublelayer lots of these actually ARE also a phone, that's the whole reason they have a microphone in the first place; they simply are a "one number" (well, actually, some cycle through a few if the previous one doesn't pick up) emergency call device, with a single "call" / "panic" button. My hunch is the "listen in" thing is more of a feature creep / default action ("emergency calling is fine but what happens if _it_ gets called? Hey, I know, let's make a bug out of it, one more feature-bullet on the box...!") than a purposefully engineered feature - it's still creepy as hell though, I agree...

    3. EVP

      Re: To any children reading this

      ”suggest some ways to help you accidentally render your devices useless.”

      The best. advice. ever. to treat those spying devices. Unfortunately, as the other readers have noted, a child forced/persuated/bribed to wear such a spying device, doesn’t propably read the Register. If a child does, he/she is already educated enough to give the Treatment without any advive.

      Instead, I suggest the parents reading the piece of news to give their kid’s device the good old sledgehammer induced security patching and then sending the remains^H^H^H secured device back to the manufacturer. Including a notice of reclamation in form of a printed copy of the article in El Reg, signed with a brown sticky ’pen’, might help in getting the message through.

      Grrr...

  2. Anonymous Coward
    Anonymous Coward

    Finally...

    a story where "think of the children!" is not inappropriate.

    1. GnuTzu
      Childcatcher

      Re: Finally... Icon

      Yes; and if you'd logged in, you could have used this fine icon--which I've been aching to use for such a long time.

  3. Anonymous Coward
    Anonymous Coward

    Regulations?

    There are regulations concerning the safety of childrens' toys that manufacturers and importers have to comply with. Are there no equivalent regulations for devices like these, that can clearly put children at risk of being harmed?

    1. Will Godfrey Silver badge
      Unhappy

      Re: Regulations?

      In a word...

      No

    2. P. Lee
      Facepalm

      Re: Regulations?

      Regulation is not the answer, education is.

      As in, "What made you think IoT was a security solution?"

      "What made you think a corporation cares about your security?"

      "What made you think giving personal information and tracking data for your child/dependent to a corporation would increase their security?"

      Here's an educational video for you to watch: https://www.youtube.com/watch?v=CFdZWgiAj8I

      This video should be part of all on-boarding and ante-natal programmes.

  4. Anonymous Coward
    Anonymous Coward

    A further feature of the watch is that a location zone can be set up that alerts the parent if the child moves outside it. It was found possible to alter this to send an alert to a hacker when the watch entered a chosen zone.

  5. Martin Gregorie

    Why does the server need any details about the child?

    If the watches are intended for use by parents to track their own children, why does the server need to hold ANY of the child's personal details? This seems like a violation of the principle of storing only data needed for the devices intended purpose and means that the server should only store parental contact details, IOW parental names, e-mail and phone numbers, so if the child is injured, sick, gets lost etc, the authorities can use the watch's unique identity (it does have one doesn't it?) to get contact details for the parents.

    1. Mark 85

      Re: Why does the server need any details about the child?

      Well, profit motives seem to be in play here. As the kids grow up or even as "kids", advertisors of child goods would pay for the data and the link to the watch.

      1. doublelayer Silver badge

        Re: Why does the server need any details about the child?

        It's not used for identification. It's used as a really creepy tracking device that places a location and audio tracker on the child. Creepy enough if the parents are the only ones with access, but now there is no restrictions on who gets access. Without the server, you couldn't call up the history of where your child has been or everything they said. I'd really prefer that you didn't, but if you want to, a server is needed (of course, there is no excuse for having an insecure one).

        1. Mark 85

          @doublelayer -- Re: Why does the server need any details about the child?

          It's not used for identification.

          You missed this then:

          The key problem is that the app and the GPS watch do not encrypt their communications, and transmit virtually all data in plain text for anyone to snoop on or meddle with. This includes profile pictures, names, gender, dates of birth, height, weight, and so on, of the child.

          Pretty much has everything on the server about junior. Most parents won't lie about this stuff. And there's probably a parent's name, addy, etc. taken for "identification purposes" or some such. Still gives a pile of info that can be monetized in the present and in the future.

        2. John Brown (no body) Silver badge

          Re: Why does the server need any details about the child?

          "Without the server, you couldn't call up the history of where your child has been or everything they said."

          Considering the power and storage capacity of a modern smartphone, there should be no real need to store any data on a central server other than the time it takes to get there from the watch and be sent on to the app on the phone. For that matter, with a SIM in the watch, why can't the watch just send encrypted GPS coordinates direct the parents phone by SMS or email and do all the processing there? No central server required.

    2. Trixr

      Re: Why does the server need any details about the child?

      Yup, if I was going to put a creepy tracker on my child, there's no way in hell I'd have actual data on them in the cloud. "Offspring1" and "Offspring2" would suffice. Maybe, though, that would be overly sentimental for these parents/jailers.

      1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: Why does the server need any details about the child?

        Given the kind of mindset of some of these parents, I would suggest CC1 and CC2 (Mrs. Moneypenny, FT)

        1. DropBear
          Trollface

          Re: Why does the server need any details about the child?

          "CC1"

          But then how would you tell it apart from the one you planted on your wife..?!?

      3. John Brown (no body) Silver badge
        Coat

        Re: Why does the server need any details about the child?

        Yup, if I was going to put a creepy tracker on my child, there's no way in hell I'd have actual data on them in the cloud. "Offspring1" and "Offspring2"

        If you were a Spanish fireman, you could call your kids Hose-A and Hose-B :-)

        Yeah, any coat, it doesn't matter, I'm in a real hurry!!!

  6. Anonymous Coward
    Anonymous Coward

    Currently unavailable

    "We don't know when or if this item will be back in stock. "

    According to Amazon.

    Word gets around quick!

  7. Eddy Ito

    Shocking? More crap security on IoT (Internet of Tots) kit. Security, it's a word in the dictionary right before shite.

  8. john.jones.name
    WTF?

    shocking

    they have form for this kind of thing

    https://www.dailymail.co.uk/sciencetech/article-5419989/Security-experts-discover-Mi-Cam-baby-cams-hacked.html

    (scary that the daily mail has a decent summary of the camera)

    GPS watch is not a bad thing its how its used that could be a problem

    (which is the same problem as a hammer its the users that are the issue)

  9. Danny 2

    Get Smart

    Years ago I advised my old mum not to get a smart phone because the police could track her. She replied she'd like the police to be able to track her. We both bought smart phones.

    There is an interesting/scary article on the BBC Scotland website today:

    Police Scotland cyber kiosks 'could be unlawful'

    https://www.bbc.co.uk/news/uk-scotland-46225771

    The introduction of technology allowing the police to gather data from mobile phones or laptops looks set to be delayed following concerns its use may be unlawful.

    Police Scotland has spent hundreds of thousands of pounds buying 41 "cyber kiosks" - which can override passwords - from an Israeli firm.

    The plan was to deploy them around the country next month.

    But concerns have been raised that using the technology could be illegal.

    The digital forensic devices can rapidly search electronic devices to look for evidence, helping police at the early stage of investigations.

    1. Anonymous Coward
      Anonymous Coward

      Re: Get Smart

      That's alright, we'll have control of our own laws soon

  10. Mr Templedene

    If you've been careless enough to buy and start using one of these devices, before taking el-reg's advice about disassembling the device with a hammer and deleting the app, make sure you remove all data and photos from the central server.

    Assuming they don't keep everything as a matter of course (for "security reasons") and simply mark it as deleted.

  11. Pascal Monett Silver badge
    Flame

    What the hell ?

    Why on God's green Earth do you need ANY detail about the person wearing the tracker ?

    The only thing you need is the ID of the device. The people who bought the device are the only ones who need to know who is wearing it.

    If the kid gets lost, they can give the ID of the device to the cops. There is ZERO need to have ANY personal details associated with the device.

    Please excuse the caps but my GOD that is making me angry.

  12. Black Betty

    Let fines for poor security management equal absolute revenue.

    Make it impossible for product vendors to boost/pad their bottom line by cutting corners on security, by fining them 100 percent of the revenues (not profits) from any offending products. Sell a millions crap devices for $10 each, pay a $10 million dollar fine on top of any reimbursement paid to customers for recalled/returned items.

    Demonstrate a good faith effort to implement security, fine is not applicable, but crap like hard coded credentials, plain text comms, and other trivial security holes, should be matched be a black hole in the vendors wallet.

  13. Anonymous Coward
    Anonymous Coward

    My first thought...

    All working as intended then.

  14. DuncanLarge Silver badge

    How ironic :D

    How ironic it is that these devices, designed to spy on children, grooming them into accepting surveillance as a normal part of their lives, coming across as a way to "protect" them in a way that no generation of children before them needed in all the thousands of years past, actually puts them more at risk.

    I honestly thought this was a joke. A device designed to track and spy on kids? No child before them has been subject to such horrible invasion of their privacy. You could argue that devices like these will help keep kids from getting lost from parents at a theme park etc where there are lots of people, the devices could help the kids and parents narrow in on each other. That seems fine. But tracking and listening in on them and whoever they happen to be with (or simply nearby) is plain creepy.

    I personally know someone who came to me saying that he thought it was very creepy that Microsoft was watching his own kids internet access and emailing him reports on what his son had been up to every week. He works with me in IT.

    These devices need to be banned. They should be offered out by the police to help tack and trace celebrities children following messages from a stalking fan etc, not available to the general public. They never get made correctly anyway. We live in a world of bluetooth enabled baby monitors that allow any device to connect from the street, letting them monitor (or even talk to) the kiddies or even to attempt to see if the house is empty and ripe for a rummaging.

    We dont need our kids to be carrying around internet connected microphones that condition them to accept tracking as "normal" while allowing anyone to listen in on anything in the vicinity.

    I can imagine so many plots for films where there is a scene where the parents send their kid to next doors kids party and use this device to listen in on the neighbors to prove they did indeed steal the giant light up snowman as a way to get back for breaking their lawnmower. Or where a kid is given a fiver to go stand next to those business men looking innocent and cute while Jason Borne gathers some intelligence from their conversation...

  15. TechDrone
    Big Brother

    Kids need to learn, but...

    As a concept I like this. Cheaper than a phone, not likely to get dropped or left behind in a coat pocket somewhere (at least you'd be able for find their coat). Being able to call them back for tea at the right time, them being able to get help easily, and me being able to hear what they're up to as if they were playing in the garden is a good thing. For now I can do this in person (and it's cool to have Dad playing apparently). It won't - and shouldn't - be the case forever.

    And when they're at the age where they resent my entire existence they will hopefully have learned to behave properly when Dad isn't around, or at least, learned how not to get caught...

    No doubt in 30 years time they'd be wanting to the same to me and make sure that I've got to/from the pub or chippy OK as well.

    But FFS do it *properly*.

  16. Anonymous Coward
    Anonymous Coward

    cookie? test

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like