How was this possible, I hear you ask? In addition to communication with the manufacturer’s server being unencrypted, the online interface of the manufacturer’s server was completely unsecured, leaving it entirely open to external unauthorized access. Although an authorization token was generated to prevent unauthorized access, the server does not check it. Which essentially means anyone with enough “hacking” skills should have no problem in accessing user IDs. This allows potential attackers to have the same access that a parent would have.
To sum it up, a device that is supposed to help parents keep track of their children and give them a peace of mind can be turned into a surveillance device for bad actors. This lapse in security was found to affect users in Germany, Turkey, Poland, Mexico, Belgium, Hong Kong, Spain, the Netherlands, and China. There is a possibility that the number of affected people may be well over the previously estimated 5,000.
To read the complete article see:
https://www.welivesecurity.com/2019/11/29/smartwatch-exposes-location-data-children/
