Lack of security and privacy standards in the internet of things can be very painful. Like IoT vendors, toy makers too, are so eager to make money, they leave even basic privacy and security standards stranded in the rearview mirror as they rush to connect everything to the internet. As a result, kids’ conversations and interests are being hoovered up without consent, with the data frequently left unencrypted and openly accessible in the cloud.
When this situation is studied, time and time again we’re shown how most modern, connected toys can be fairly easily hacked and weaponized. Granted since we haven’t even gotten more pressing security and privacy problems tackled, problems like Barbie’s need for a better firewall tend to fall by the wayside.
Another recent case in point: A location-tracking smartwatch worn by thousands of children has proven rather trivial to hack. The MiSafes Kid’s Watcher Plus, a “smartwatch for kids” that embeds a 2G cellular radio and GPS technology, purportedly to let concerned parents track their kids’ location at all times. But security researchers at UK’s Pen Test Partners have issued a report calling the devices comically insecure. As with many IoT devices, the researchers found that the devices and systems they rely on did not encrypt any of the data being transmitted. Personal and sensitive information could be entered into the application such as phone numbers, passwords, as well as information relating to children, including profile pictures, names, date of birth, gender, height, and weight all transmitted across the internet in clear-text.
The researchers were quick to note that the only check the system’s API appears to perform is matching the UID with the session_token, so simply changing the family_id in the get_watch_data_latest action, allows an attacker to return the watch location and device_id associated with that family. Since the watch updates the GPS coordinates to the API every five minutes, it provides a hacker near real-time insight into kid’s location.