Security researchers have discovered serious vulnerabilities with a series of childrens' smartwatches. Potential hackers can use these security flaws to take over the devices and essentially track children and have conversations with them, researchers warn.
But Rapid7's security researchers discovered that it's not just parents who can get in touch with kids wearing the watch. The watches are supposed to be contacted only by approved phone numbers through a whitelist, but Rapid7 found that this filter didn't work at all.
The watches also accepted configuration commands through text messages, which means that a potential hacker could change settings on the watch, putting children at risk.
"You can identify where the phone or the child is, you can gain access to audio, or make phone calls to children," said Deral Heiland, Rapid7's IoT research lead.
All three watches use the same software, so vulnerabilities are spread across the board for all three, the researchers said.
Watch this: Finding our personal data on the dark web was far too easy
These aren't the only children's connected devices that have glaring security risks. In June 2018, Amazon pulled CloudPets from its store after researchers found vulnerabilities with its Bluetooth. In September, researchers disclosed a security vulnerability on GPS trackers for children that gave up the location data on at least 600,000 users.
Amazon didn't respond to a request for comment on whether it would remove the three watches from its store. The watch makers couldn't be reached for comment.
Rapid7's researchers also found that the three smartwatches had the exact same default password: 123456. It's unlikely people would change this password, as the devices don't even tell the users that password exists or how they can change it, Rapid7 said.
With this simple password and the ability to change configurations through text messages, a potential hacker could take over devices and track children, even pairing the smartwatches with their own phones, researchers warned.
Another glaring flaw Rapid7 found was that there's no way to contact the manufacturers behind the three smartwatches sold on Amazon. Without any way to reach out to the company, Rapid7's researchers raised concerns that there would be no way to fix these vulnerabilities.
"Trying to figure out who the manufacturers are can be difficult, or impossible in some cases," Heiland said. "Very often, the watches are made exactly the same and put in different boxes to be sold."
The holiday's best smartwatches and fitness trackers