Kids' smart watches are a security/privacy dumpster-fire

The Norwegian Consumer Council hired a security firm called Mnemonic to audit the security of four popular brands of kids' smart watches and found a ghastly array of security defects: the watches allow remote parties to seize control over them in order to monitor children's movements and see where they've gone, covertly listen in on them, and steal their personal information. The data the watches gather and transmit to offshore servers is copious and sent in the clear. The watches incorporate cameras and the photos children take are also easily plundered by hackers.

Though many of these defects are the result of sloppiness, some of these vulnerabilities stem from a fundamental design choice in these devices, which are "to give parents peace of mind while their children play freely outside" (AKA to allow parents to spy on children). A device that is intended to allow a remote party to set policy that the user can't override is intrinsically sneaky: by design, these devices are supposed to run processes that the user can never fully know about or terminate. When hackers gain access to these systems, they are able to exploit that design to cover their actions.

These watches exemplify the surveillance technology adoption curve in which abusive practices start with prisoners, move on to migrants, then poor people, then children, then blue collar workers, then white collar workers. Much of the worst abuses of these watches are papered over by exceptionally abusive EULAs that smuggle new one-sided terms into the already massively tilted landscape of license "agreements." Watch for these terms to spread next to low-waged and gig workers who'll have similar functionality embedded in apps or dedicated hardware used to dispatch and track them.

Using these watches can expose your children to permanent vulnerability: even after you quit the service, the companies retain your children's data indefinitely. In recent years, kid-gadget companies have routinely hemorrhaged sensitive data taken from children and their families: in 2015, Vtech lost 6.3 millions records, and in 2017, Cloudpets lost millions more. The companies that make these watches are almost certainly no better at data-handling than the others who've breached recently.


The right to privacy is enshrined in the United Nations convention on human
rights, and children are afforded special protections under the Convention on
the Rights of the Child.63 By continuously monitoring the location and even
conversations of children, this right may be put under pressure. In Norway, the
use of smartwatches for children has been criticized by both the Ombudsman
for Children,64 the Data Protection Authority, and Save the Children,65 citing the
potentially negative effects that surveillance may have on children’s development,
and the false sense of security that such devices might provide.

The “monitoring” function of the Viksfjord device/SeTracker app is in itself problematic.
Even if one agrees that it should be permissible to listen in on children without
their knowledge, the function enables you to monitor anyone in the vicinity
of the child. This means that the Viksfjord can potentially be used to spy on the
conversations of unwitting people.

#WatchOut
Analysis of smartwatches for children
[Forbrukerradet (Norwegian Consumer
Council)]


(via Schneier)