A Chinese-made smartwatch designed to keep children safe is leaking the location of over 5,000 kids – and is still on sale today.
The SMA M2 smartwatch is a GPS tracker for kids that enables parents to keep tabs on their location and even have two-way conversations. However, it seems a security flaw means that it’s not just parents able to check in on the location of their children, reports ZDNet.
AV-Test, which has spent two years testing the security of smartwatches aimed at children, was able to find the location of a huge number of wearers, and identify 10,000 parent accounts.
The team was able to use a publicly accessible API to access and cycle through web IDs, which is the same access used by the smartwatch’s web app that parents use to check the location of their children.
The API revealed location, the device type and SIM card and EMEI numbers of the parents’ smartphone.
And if you didn’t think that was quite dark enough, once a would-be attacked used the API to pair their device with the children’s watch, they could track the child on a map and even start a voice chat with the watch itself.
"The Chinese SMA-WATCH-M2 tops the security failures of other manufacturers by far," said Maik Morgenstern, CEO and the Technical Director of AV-TEST.
Most of the devices were being worn in central and western European countries such as Poland, Turkey, Germany, Spain, and Belgium.
At the time of writing the SMA Smartwatch M2 was still widely available on online retailers.
How we test