Disturbing security flaws in smartwatches for children

18 October 2017

The Norwegian Consumer Council (NCC) has uncovered significant security flaws, unreliable safety features and a lack of consumer protection in smartwatches for children. This comes as Consumers International releases a report looking at connected devices and the consumer protection implications.

Together with security firm Mnemonic, the NCC tested several smartwatches sold in countries across the world under different brand names. The smartwatches are wearable mobile phones that allow parents to use an app on their smartphones to keep in touch with and track the location of their children.

It found numerous failings:

  1. Serious security flawsIn a few simple steps, a stranger can take control of the watch and track and communicate with the child. They will be able to track the child as it moves or make it look like the child is somewhere it is not. The data is transmitted and stored without encryption.

  2. False sense of security: The SOS functions in the Viksfjord and Gator watches are particularly poor. The alerts that are transmitted when the child leaves a permitted area are also unreliable. 

  3. Illegal and non-existent terms and conditions: Some of the apps associated with the watches lack terms and conditions. It’s also not possible to delete your data or user account. These are clear breaches of both the Norwegian Marketing Control Act and the Personal Data Act.

It's very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly” says Finn Myrstad, Director of Digital Policy at the Norwegian Consumer Council.

Importers and retailers must know what they stock and sell. These watches have no place on a shop’s shelf, let alone on a child’s wrist.

Testing our trust: 2017 review of Consumers and the Internet of Things

This is not the first time the issue of a lack of security, safety and consumer protection in connected devises has been raised. Consumers International has released an update and companion piece to its 2016 review of the Internet of Things and the challenges for consumer protection.

Our new report, ‘Testing our trust: consumers and the Internet of Things’ looks at whether trends in connected devices have unfolded as predicted in 2016, whether consumers are experiencing both positive opportunities and detriments from the Internet of Things, and how policy makers, industry and advocates are responding to some of the challenges.

It shows that some of the risks Consumers International identified in 2016, such as bricking devices, excessive data collection and insecure devices are continuing and many companies’ performance on issues such as transparency remains poor.

Download report

Our view

“The #WatchOut research doesn’t surprise us, given what we’ve learnt about the consumer IoT market across the world in our latest report. Businesses need to build in security and privacy at the design stage – not bolt it on as an afterthought when scandal hits. That way we’ll all gain a safer network and businesses will gain trust of their customers.”

Amanda Long, Director General, Consumers International

Further details on the smartphone story:

  • Consumers International brings together over 200 member organisations in more than 100 countries to empower and champion the rights of consumers everywhere. We are their voice in international policy-making forums and the global marketplace to ensure they are treated safely, fairly and honestly.

  • The Consumer Council tested the Gator 2, Tinitell, Viksfjord and Xplora watches, which are being sold in Norway by retailers such as XXL and Enklere Liv. There are other models similar to those we tested being sold under different names. Tinitell performed consistently better than the other watches in our test, but it also offers fewer features than its competitors.

  • The Consumer Council is referring the manufacturers to the Norwegian Data Protection Authority and the Consumer Ombudsman for breaches of the Norwegian Personal Data Act and the Marketing Control Act. These legal acts are based on the EU’s Data Protection Directive and the Directive on unfair terms in consumer contracts, and thus constitutes a breach of EU Law as well. The watches are available in multiple EU member states.

  • Consumer organisations in Europe and the US will also be pursuing our findings with their respective authorities, both nationally and at an EU level.

For more information on the Smartphone story.