MiSafe Child Tracking Watches and the Paradox of Buying Security
Researchers at the cyber security research firm Pen Test Partners published their findings on the security features of the MiSafe Child Tracking smartwatch. The watch is designed and marketed as a device that increases the safety of children. Features include the constant monitoring of the child’s location via GPS, the creation of safe-zones that alert the parents if the child leaves them, eavesdropping on the child through the watch and initiating a call from the parents’ phone to the child’s watch in order to communicate.
On paper, these features seem like good ideas to protect children of a very young age. (The notable exception is the eavesdropping feature. Since the watch does not indicate that it is used for recording, this feature alone technically makes the device illegal in many US states and EU member countries.)
Knowing where children are at any time and allowing only the parents to call them could theoretically increase response times in cases of accidents or abductions by hours. However if attackers were able to track and contact the children instead, the scenario quickly turns into a nightmare. Since the child believes that only its parents can call them through the watch, it would be trivial for kidnappers to fake a cold to explain changed voices and lure their victim into an abduction.
Unfortunately, this is exactly what appears to be the case. The researches were quickly able to bypass all security restrictions and take full control of arbitrary watches. While speaking to the BBC, one of the researches went as far as to claim that "it's probably the simplest hack we have ever seen”.
The impact of this research could be surprisingly broad. According to the researchers, MiSafe merely branded a popular white-label Chinese smartwatch with the given functionality. While no comprehensive lists are available at the point of writing, they estimate that 40,000 MiSafe watches and 53 other brands of child tracking watches are affected by the same or very similar issues. Their assessment is that all child tracking watches are likely to be unsafe.
While this may seem to be an exaggeration, they are surprisingly likely to be correct. In niche markets such as child tracking smartwatches, a single large electronics manufacturer usually dominates the entire niche with white-label products that are then branded by distributors. What seems like a competitive space is thus ultimately a single vendor. And a security vulnerability found in one device is likely to affect all devices by that vendor.
The Paradox of Buying Security
The pattern of devices supposedly designed for security leading to insecurity is nothing new. It is somewhat commonplace. From hackable video surveillance cameras to poorly secured smart locks to antivirus software getting attacked by viruses, the products meant to protect consumers often end up harming them.
To understand why, we need to look at the concept of “risk surface”. It defines how much risk a given system is being exposed to. While the specifics can become complex very quickly, the basic idea is that certain actions add or reduce the risk surface of a system. So for example, putting a critical system behind a well-monitored firewall will reduce its risk-surface. On the other hand, neglecting to install security fixes on said system will increase its risk surface. What is important to understand that every protective measure comes with its own risk surface. So while the firewall may protect the systems behind it, it may also have vulnerabilities itself. All decisions are a trade-off.
Unfortunately, a lot of devices and softwares that supposedly work to reduce risk surface introduce a lot of risk surface themselves. This is especially true for devices in niches and those built by young startups as the companies active in this space usually do not have the infrastructure and resources needed to attract high-quality information security talent.
What you can do
In this specific case, the only prudent solution is to avoid using child tracking smart watches currently on the market. This includes those sold by your mobile carrier. Mobile carriers sell tracking watches because they are bundled with mobile data plans. They usually do not perform any due diligence on the devices themselves. If you absolutely do require a tracking solution for small children or elderly family members, use features such as Apple’s “Find My Friends” or Google’s “Trusted Contacts” on mainstream smartphones instead.
In more general terms, be careful when buying security products, especially those that handle highly personal information such as your location or sound environment. You have to trust that the creator of the device is neither malicious nor incompetent. And while this may be a valid assumption when dealing with giants such as Amazon, Google and Apple, it is a much further stretch when dealing with nameless white-label manufacturers.