Image courtesy of Norwegian Consumer Council | YouTube

The Many Ways In Which Your Kid’s Smartwatch Can Be Hacked

Most of us aren’t going to spend hundreds of dollars on an Apple Watch for our kids, but there are many less-expensive, kid-targeted smartwatches available. Unfortunately, a new report claims that your young one’s tiny screen may also be a huge privacy risk.

A coalition of privacy and consumer-interest organizations is asking the Federal Trade Commission to investigate smart watches aimed at children and stop sale of the products if necessary.

The group of advocates — including the Campaign for a Commercial-Free Childhood, EPIC, and our colleagues at Consumers Union, among others — all signed on to a letter [PDF] pressing the FTC to look into the matter.

That’s just the American contingent of a global movement, though. The research report released today [PDF] was sponsored and is published by Norway’s consumer protection agency — basically, this is the same international partnership that took on the My Friend Cayla and i-Que toys last year.

Because the report was commissioned in Europe, it covers some models of smartwatch that aren’t sold in the U.S. However, several models are available domestically: the Caref (sold in Europe as the Gator) and SeTracker smartwatches that the researchers tested are available for purchase on Amazon and some other website marketplaces as well.

The privacy complaints boil down into two big buckets.

Security Flaws

Smart devices need some kind of control, and so they nearly always pair with an app of some kind. In the case of products targeted to children, the companion app is usually supposed to be on a parent’s phone.

As the security research team discovered, however, two of the devices they tested, and three of the apps, have vital security flaws.

Wearable tech collects a wealth of personal data. The watches all contain location trackers, cameras, and microphones, among other kinds of information collection. That collection of data is meant to grant parents peace of mind, by allowing them to remotely keep an eye on where their kids are going and have been.

However, two of the watches had security vulnerabilities in them, that could remotely allow an attacker access to the companion apps.

Having done that, a third party can contact the child directly through the watch, without the parents being aware. Or one can access the recording functions on the watch “without the kid having to activate any functions on the watch,” as one of the research experts put it, watching or listening to children with nobody any the wiser.

The location data can also be easily spoofed, the research team found, leading the watch to report a false location back — not only unsettling but potentially dangerous, if a child is not where they are supposed to be.

And as if all that isn’t enough, data gathered by these devices may also be sent to servers in several countries without encryption, the report finds, so basically anyone who wants to look can.

Norway’s consumer protection council demonstrated the risks in a video:

Poor Privacy Protections

The report is from Norway, and the European Union has different privacy disclosure laws than the United States. Some of the violations the researchers found, therefore, may not be legal issues here.

However, although privacy law is a mixed bag at best in the U.S., there are two areas where it’s very clear. One has to do with what you say in a privacy policy: That policy doesn’t actually have to guarantee privacy, but a company does have to adhere to what they put in it.

The other has to do with kids. Thanks to the Children’s Online Privacy Protection Rule (COPPA), any entity knowingly collecting data online from children under 13 is required to:

  • Post privacy policies
  • Provide notice to, and obtain consent from, parents about privacy practices
  • Give parents the option of letting kids’ data be used internally but not shared with third parties
  • Permit parents access to review their kids’ data or have it deleted
  • Keep kids’ data confidential and secure
  • Limit the retention of kids’ data after it is no longer needed and take “reasonable measures” to prevent it from unauthorized access or use

When the researchers looked at several varieties of kids’ smartwatches, they found the privacy policies were unclear about several key measures.

Only one, the report found, actually asked for consent to collect data. None promised to notify users of any future changes in terms, and none provided a method of account deletion. At least one app explicitly allowed the data it collects to be used for marketing purposes.

A summary of privacy policy terms the research team discovered accompanying childrens’ smartwatches.

Far-Reaching Implications

Because of these issues, the coalition is asking the FTC to act both thoroughly and swiftly to investigate.

“A careful assessment of these products tells a very unsettling story,” the letter reads.

“The implications for U.S. consumer protection law are far-reaching. The products appear to violate both Section 5 of the FTC Act as well as various provisions of the Childrens’ Online Privavy Protection Act,” it continues. “We recognize that the FTC has done much to extend privacy protections for children and is also aware of the risks of internet-connected devices. But the development of these products is accelerating and with little regulatory oversight, the risks to children are increasing.”

“If the Commission fails to act,” the group concludes, “families in the United States will be exposed to risks that could otherwise be avoided.”

“When a company sells a smartwatch aimed at children, it must ensure the product is safe and secure,” said Consumers Union technology policy counsel Katie McInnis. “The FTC should launch an investigation into the privacy and security concerns surrounding these products to make sure families are safe.”

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.