Researchers found a backdoor in Xplora children’s smartwatch

Experts from the Norwegian company Mnemonic are confident that they have found a backdoor specially implemented in the Xplora 4 children’s smartwatch, created by the Chinese company Qihoo 360 Technology Co.

As it turned out, the watch can take photos and record sound, and these functions are activated using an encrypted SMS message.

According to the manufacturer, more than 350,000 of these Android devices have been sold so far, which allow you to make and receive voice calls to parent-approved numbers, as well as send alarm and meta-location data to specified contacts.

“A separate app running on parents’ smartphones allows monitoring the use of the watch and receiving alerts if a child leaves a certain geographic area”, – say information security specialists.

Although Xplora Mobile AS distributes the watch in Europe and the United States, the hardware is designed and manufactured by the aforementioned Chinese company Qihoo 360, and it is also responsible for creating 19 out of 90 pre-installed Android apps for these devices.

“The backdoor itself is not a vulnerability. This is a set of deliberately designed functions with corresponding names that allow to remotely take a snapshot, report a location and organize a wiretap. The backdoor is activated by sending SMS commands to the watch”, — says Mnemonic.

Researchers believe that smartwatches can be used to covertly take photos using the built-in camera, to track the location of the wearer, and to listen to phone calls through the built-in microphone.

Experts do not claim that such an observation actually took place. The fact is that for a successful attack, user needs to know not only the phone number of the device (the watch has a SIM card), but also the unique encryption key. At the same time, it is emphasized that this data is available to the developers of Qihoo 360 and Xplora, and it can also be physically extracted from devices using special tools.

backdoor in children's smartwatch Xplora

Researchers’ fears are related to the fact that earlier Qihoo 360 was included in the sanctions list of the US Department of Commerce. US officials believe the Chinese government may have forced the company to engage in “activities contrary to the interests of US national security or foreign policy.” That is, theoretically, the Chinese authorities may demand to activate the backdoors hidden in the clock.

The Register reporters cite a comment from Xplora representatives who claim that the problem was associated with the remnants of the prototype forgotten in the code.

“During the development of the device, parents talked about how they would like to be able to contact their children in an emergency, as well as be able to receive location data in the event of abduction. Later, it was decided not to implement this functionality in the commercial version of the devices for privacy reasons”, – said Xplora representatives.

Xplora also stressed that the problem has already been fixed: at the end of last week, a corresponding patch was released for the watch.

Let me remind you of the recent scandal, when a Chinese bank forced western companies to install tax software with backdoors. Of course, Chinese bankers rushed to secretly create uninstallers, but then backdoors were discovered and the scandal could not be hush up.

Think a few times before using Chinese software and gadgets.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Donald Trump Twitter password

Information security expert picked up Donald Trump’s Twitter password

The Dutch periodical Vrij Nederland reported that the famous security specialist and head of the …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.