The AV-Test Institute has issued a product warning for the Chinese made smartwatch SMA-WATCH-M2. The independent testing organisation said the watch had a litany of worrying security failures, for instance, revealing the exact location data of more than 5,000 children around the globe.

The SMA-WATCH-M2 is designed to work with a dedicated mobile app. It works as a GPS tracker via a SIM card and is designed to protect children and give parents a secure feeling.

Parents register an account on the SMA service via the app and then pair their child's smartwatch to their phone. They can then use the app to track the kid's location, make voice calls, and receive notifications if a child leaves a designated area.

However, AV-Test said the watch wasn’t a security device rather in contrast it was a serious liability.

  • AV-Test discovered that anyone could access the smartwatch's backend via a publicly accessible web API which is the interface between the watch and the server where its data is stored.
  • This backend is where the mobile app also connects to retrieve the data it shows on parents' phones.
  • An authentication token is in place to prevent unauthorized access, but attackers can supply any token they like because the server never verifies the token's validity.
  • An attacker can connect to the web API, see all user IDs and collect data on all kids and their parents who are using the watch.

This is the method AV-Test used to individually identify more than 5,000 children using the M2 and more than 10,000 parent accounts.

Most of the children were located across Europe in countries such as the Netherlands, Poland, Turkey, Germany, Spain, and Belgium. AV-Test also found active smartwatches in the UK, Ireland, Italy, China, Hong Kong, and Mexico.

Even creepier

A second vulnerability allows access to the mobile app installed on parents' phones.

  • An attacker can install the mobile app on their device, change a user ID in the app's main configuration file, and pair their smartphone with a child's smartwatch without having to enter a parent account email address or password.
  • Once attackers have paired their smartphone to a child's smartwatch, they can use the app's features to track the child via a map, or even place calls and start voice chats with kids.
  • An attacker can change the mobile account's password and lock the parent out from the app while they give a child wrong instructions.

In summary, AV-Test said the SMA-WATCH-M2 is anything but a product for the protection of children. Attackers can gain access to sensitive personal information, including the name of parents, the name and image of the child, names and numbers of relatives and acquaintances in the phone book. At the same time, legitimate users, such as the parents, can be locked out of the account and thus prevent effective help in an emergency.

The watch is made by Chinese company SMA and is available directly from its website and through many online websites. It’s a product to watch out for, and to be avoided, during the Black Friday and Cyber Monday sales, when it could be available at a heavy discount compared to its normal retail price of around $35.