CNET logo Why You Can Trust CNET

Our expert, award-winning staff selects the products we cover and rigorously researches and tests our top picks. If you buy through our links, we may get a commission. Reviews ethics statement

These kids' smartwatches have security problems as simple as 1-2-3

The default password on these three smartwatches sold on Amazon could let hackers track and eavesdrop on children.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

This smartwatch has security vulnerabilities that allowed potential hackers to track and contact children, Rapid7's researchers said.

Jsbaby via Amazon

Security researchers have discovered serious vulnerabilities with a series of childrens' smartwatches. Potential hackers can use these security flaws to take over the devices and essentially track children and have conversations with them, researchers warn. 

Security company Rapid7 disclosed vulnerabilities with three smartwatches sold on Amazon: the GreaSmart, the Jsbaby and the Smarturtle. All three smartwatches are targeted at children and cost less than $40. They are marketed as tracking devices to keep tabs on kids and allow parents to send messages and phone calls to their children. 

But Rapid7's security researchers discovered that it's not just parents who can get in touch with kids wearing the watch. The watches are supposed to be contacted only by approved phone numbers through a whitelist, but Rapid7 found that this filter didn't work at all.  

The watches also accepted configuration commands through text messages, which means that a potential hacker could change settings on the watch, putting children at risk. 

"You can identify where the phone or the child is, you can gain access to audio, or make phone calls to children," said Deral Heiland, Rapid7's IoT research lead.

All three watches use the same software, so vulnerabilities are spread across the board for all three, the researchers said.

Watch this: Finding our personal data on the dark web was far too easy

These aren't the only children's connected devices that have glaring security risks. In June 2018, Amazon pulled CloudPets from its store after researchers found vulnerabilities with its Bluetooth. In September, researchers disclosed a security vulnerability on GPS trackers for children that gave up the location data on at least 600,000 users. 

Internet-of-things devices are plagued by security issues, raising concern among lawmakers about how easily these products can be hacked. Connected devices don't have any security standards, leaving customers unaware of what vulnerabilities could be present on a gadget. 

Amazon didn't respond to a request for comment on whether it would remove the three watches from its store. The watch makers couldn't be reached for comment. 

Rapid7's researchers also found that the three smartwatches had the exact same default password: 123456. It's unlikely people would change this password, as the devices don't even tell the users that password exists or how they can change it, Rapid7 said. 

With this simple password and the ability to change configurations through text messages, a potential hacker could take over devices and track children, even pairing the smartwatches with their own phones, researchers warned. 

Another glaring flaw Rapid7 found was that there's no way to contact the manufacturers behind the three smartwatches sold on Amazon. Without any way to reach out to the company, Rapid7's researchers raised concerns that there would be no way to fix these vulnerabilities. 

"Trying to figure out who the manufacturers are can be difficult, or impossible in some cases," Heiland said. "Very often, the watches are made exactly the same and put in different boxes to be sold."

The holiday's best smartwatches and fitness trackers

See all photos

Originally published, Dec. 11, 2 a.m. PT. 
Correction at 7:29 a.m.: This story originally misidentified one of the vulnerable smartwatches. It's the GreaSmart, Rapid 7 now says.