EU Orders Recall of Children's Smartwatch Over Severe Privacy Concerns (zdnet.com)

← Back to Stories (view on slashdot.org)

EU Orders Recall of Children's Smartwatch Over Severe Privacy Concerns (zdnet.com)

Posted by BeauHD on Tuesday February 5, 2019 @01:00AM from the that's-a-first dept.

An anonymous reader quotes a report from ZDNet: For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children's smartwatch produced by German electronics vendor ENOX. According to the company's website, the watch comes with a trove of features, such as a built-in GPS tracker, built-in microphone and speaker, a calling and SMS text function, and a companion Android mobile app that parents can use to keep track and contact their children. The product is what most parents regularly look in a modern smartwatch but in a RAPEX (Rapid Alert System for Non-Food Products) alert published last week and spotted by Dutch news site Tweakers, European authorities ordered a mass recall of all smartwatches from end users citing severe privacy lapses. "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data," said authorities in the RAPEX alert. "As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed." On top of this, authorities also said that "a malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

43 comments

Min score:

Reason:

Sort:

privacy? How about safety? by flappinbooger · 2019-02-05 01:09 · Score: 1

That "feature list" / "bug list" sounds like a predator's wet dream.

--
Flappinbooger isn't my real name
1. Re:privacy? How about safety? by Anonymous Coward · 2019-02-05 01:17 · Score: 0
  
  Hence the RAPEX warning. Wait, there is something wrong with that. Well, back to reading about the V2X standards.
2. Re:privacy? How about safety? by Anonymous Coward · 2019-02-05 01:20 · Score: 1
  
  The RAPEX alert is a safety alert.
  
  Safety Gate: the rapid alert system for dangerous non-food products
  The Safety Gate rapid alert system enables quick exchange of information between 31 European countries and the European Commission about dangerous non-food products posing a risk to health and safety of consumers.
3. Re: privacy? How about safety? by Anonymous Coward · 2019-02-05 01:53 · Score: 1
  
  Still waiting for an explanation of how you get "RAPE-X" out of that word salad.
4. Re: privacy? How about safety? by Immerman · 2019-02-05 03:40 · Score: 1
  
  Presumably it wasn't named in English. Like how we get SI units from "International System of Units" (from the French Le Système International d'Unités). That's
  
  --
  --- Most topics have many sides worth arguing, allow me to take one opposite you.
"trove" of features by quenda · 2019-02-05 01:12 · Score: 1

a trove of features, such as a built-in GPS tracker, built-in microphone and speaker, a calling and SMS text function,
So like a phone except you cannot airdrop dick pics?
1. Re:"trove" of features by Opportunist · 2019-02-05 01:57 · Score: 3
  
  So like a phone except you cannot airdrop dick pics?
  Is that a challenge?
  Hold my beer.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Is that all? by Errol+backfiring · 2019-02-05 01:12 · Score: 1

Won't the company be punished for massive privacy violations? In other words: can any other company do the same thing tomorrow and totally get away with such sloppy security? If it is your trade, ignorance is not an excuse. A company that sells communication devices must know how to secure them.

--
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
1. Re:Is that all? by Anonymous Coward · 2019-02-05 01:54 · Score: 0
  
  This is Europe, so things may be different. In the US, the CEO would be praised for "optimizing incoming data on a select market segment", short his stock before the security breach is public, and start 2019 far more wealthy. There wouldn't be a watchdog group here in the US calling the company out, because the company likely would use DMCA lawsuits to keep the fact the child data is not secure.
  I'm just happy there is someone out there that might stop this stuff.
2. Re:Is that all? by Drethon · 2019-02-05 03:16 · Score: 1
  
  Won't the company be punished for massive privacy violations? In other words: can any other company do the same thing tomorrow and totally get away with such sloppy security? If it is your trade, ignorance is not an excuse. A company that sells communication devices must know how to secure them.
  I'm a little curious about the "massive" privacy violations. Are we talking security holes that require years of brute force to break, or something that can be hacked in seconds by a script kiddy? Based on the article saying the data is unencrypted, it seems like the latter.
3. Re:Is that all? by jeremyp · 2019-02-05 04:07 · Score: 1
  
  From the summary:
  
  "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data," said authorities in the RAPEX alert. "As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed."
  So I'd say we are talking about backend data that can be hacked in seconds. Except "unauthenticated access" suggests no real hacking is required. That is a huge privacy concern. Furthermore, an attacker can change things, so presumably, they could easily impersonate a parent. I'll leave predicting the consequences as an exercise.
  
  --
  All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
4. Re:Is that all? by Anonymous Coward · 2019-02-05 04:16 · Score: 0
  
  I'm a little curious about the "massive" privacy violations. Are we talking security holes that require years of brute force to break, or something that can be hacked in seconds by a script kiddy? Based on the article saying the data is unencrypted, it seems like the latter.
  Well ... let's pull out the rest of the article which says just how bad it is ....
  
  "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data," said authorities in the RAPEX alert. "As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed."
  This sounds like the gold standard for complete fucking incompetence to me.
  This is pretty much the zero security you would expect from someone still in school ... no encryption, no authentication, and quite likely no oversight from ENOX because they didn't give a fuck.
  If you can retrieve and change data without authentication, the developer was utterly incompetent or just took the money and ran ... either way, this is entirely the fault of ENOX.
  So, put it this way Ole Anton Bieltved is a greedy sack of shit who deserves a bankrupt company because he is more than willing to sell shit products.
  Ole Anton Bieltved is therefore a fucking asshole and a douchebag, and any company he ever works for should have the taint of his indifference to quality -- he clearly is doesn't give a fuck about his customers, or is too stupid and lazy to even try to keep track.
  You would have to assume that any other products this company sells are also complete shit, because they clearly have no competence in this area -- my guess is they're just selling cheap Chinese shit and did't know or care about any of this, which is no excuse.
5. Re:Is that all? by Anonymous Coward · 2019-02-05 06:11 · Score: 0
  
  They could be punished.
  It's something that would have to be settled in a court of law and according to the current privacy laws in the EU or Germany specifically.
Not even half-assed security by Anonymous Coward · 2019-02-05 01:14 · Score: 2, Insightful

How hard is it to use https and prepared statements? (I work in a small company and use prepared statements to prevent accidental SQL injection from a stray quote or similar) Why is the history data editable? Did they just give the app access to the database connection?
1. Re:Not even half-assed security by jellomizer · 2019-02-05 01:31 · Score: 1
  
  It is a German Company.
  Germans are Good Engineers.
  Engineers are really bad programmers.
  Obvious trolling aside....
  Like most commercial software products (built anywhere in the world) business owners wants to get the product out the door as fast as possible. And will often rush to release the prototype software as the full live feature. I know by experience that it is very tough to convince executives that while your prototype works and shows off all the features, it will take a few month more of development to get it ready for release, not to add features, but get it to work faster, fix the holes that were created for debugging reasons, and setup hooks for new features and expansion that is planned or expected. As far as the Executive is concerned it is a product you can sell now, and fix later. The sooner you can get the product to the market that better.
  
  --
  If something is so important that you feel the need to post it on the internet... It probably isn't that important.
2. Re:Not even half-assed security by Opportunist · 2019-02-05 01:59 · Score: 1
  
  The answer to this is simple: Making something work is easy. Making something work securely is hard. Something that's hard to implement takes good engineers. Good engineers cost more money.
  Need I go on or is the wall the train of thought is about to hit obvious?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Not even half-assed security by Anonymous Coward · 2019-02-05 02:09 · Score: 0
  
  Germans are Good Engineers.
  Horse shit, I own a VW and that thing is a trove of shoddy engineering.
4. Re:Not even half-assed security by Anonymous Coward · 2019-02-05 02:50 · Score: 1
  
  It is a German Company.
  Germans are Good Engineers.
  Engineers are really bad programmers.
  Obvious trolling aside....
  Oh, it's far worse than that ...
  
  Bernieri pointed out that ENOX doesn't even appear to be in control of the Android app that ships alongside with its smartwatches, the app being owned by a Chinese developer who used the app's privacy policy URL to link to their own LinkedIn profile instead, showing little regard for EU's privacy regulation.
  This is straight up "we hired some guy in China who clearly doesn't give a fuck about security.
  This is yet another example of lazy assholes, trying desperately to get a product to market, and not even giving a shit about quality.
  In this case, ENOX has basically outsourced the app to some asshole who cares even less.
  This tells you everything you every need to know about ENOX .. they're lazy, greedy, and don't give a fuck about you as long as you but their product. Basically, ENOX is managed by assholes and should not be trusted with pretty much anything.
  Management just outsourced this and didn't take any basic steps to even pretend to give a fuck about security, just profit.
  So, fuck ENOX.
5. Re:Not even half-assed security by Anonymous Coward · 2019-02-05 03:37 · Score: 0
  
  The answer to this is simple: Making something work is easy. Making something work securely is hard
  It's even harder to make something work securely when you outsource the app to someone in China and apparently don't make even the slightest pretense at giving a fuck about security. Which is what ENOX did.
  This tells me ENOX is managed by greedy assholes who don't give a shit about their customers.
  I hope this fact gets a lot of publicity, way too many consumer products have non-existent or shitty security, and it's time to make that information very very public ... either the company gets a bad rep and goes out of business, or they start doing something.
  Either way, ENOX deserves all the bad publicity this generates, because they're clearly lazy, incompetent, greedy, and completely un-concerned with anything resembling privacy.
6. Re:Not even half-assed security by Opportunist · 2019-02-05 03:48 · Score: 2
  
  China doesn't give a fuck about anything. There is one thing China is really good at: Making millions of copies from a design. What they're really NOT good at is designing themselves. Twice so if it's 100% for a foreign market, they don't give even half a shit about anything that doesn't end up in their own country.
  Much like everyone else, when you think about it...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:Not even half-assed security by drinkypoo · 2019-02-05 04:01 · Score: 1
  
  China doesn't give a fuck about anything. There is one thing China is really good at: Making millions of copies from a design. What they're really NOT good at is designing themselves.
  I'd say engineering, not designing. For example, China is said to have great automotive designers now. Sure, until fairly recently they just copied everyone else, but not any more.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
8. Re:Not even half-assed security by Anonymous Coward · 2019-02-05 04:15 · Score: 0
  
  There wasn't even an attempt to make it work securely. Security wasn't even an afterthought. It's not particularly hard to give a basic crap.
9. Re:Not even half-assed security by TheCastro1689 · 2019-02-05 06:01 · Score: 1
  
  They love to over engineer.
10. Re:Not even half-assed security by Anonymous Coward · 2019-02-05 06:17 · Score: 0
  
  It's planned obsolescence. Engineering for quality and durability does not make as much profit as engineering for low build costs and making sure that stuff breaks after a set time frame.
11. Re:Not even half-assed security by Anonymous Coward · 2019-02-08 08:59 · Score: 0
  
  If you own a VW in the US, it was made in Mexico and specifically cheapened down because the US car market won't tolerate the prices that well-engineered vehicles cost.
German admins/developers by MTEK · 2019-02-05 01:30 · Score: 1

"The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data"
"I was just following orders!"
1. Re:German admins/developers by Opportunist · 2019-02-05 02:01 · Score: 1
  
  You're so 1940. Germany 2020 is more akin to "Yes, we COULD of course do that but that costs more. Is there a law that makes us? No? Is there a lawsuit pending if we fuck up? No? Then why the heck are you bothering us with such petty nonsense?"
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
RAPE-X by Anonymous Coward · 2019-02-05 01:35 · Score: 0

they could have thought of a better acronym...
Rapex? by Anonymous Coward · 2019-02-05 01:44 · Score: 0

RapeX?
I... what?
German manufacturer? by Opportunist · 2019-02-05 01:56 · Score: 2

I thought the watches are already banned in Germany since their law identifies them as covert surveillance devices (which are illegal in Germany... unless you're the government, of course)?
But it's about effin' time these security nightmares get outlawed. Dear helicopter parents: Fuck you.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:German manufacturer? by Anonymous Coward · 2019-02-05 02:17 · Score: 1
  
  At least our children privacy is protected when another little girl ends up getting raped in a refugee shelter. Thank god our government has their priorities straight!
2. Re:German manufacturer? by Opportunist · 2019-02-05 03:50 · Score: 1
  
  I agree. Guess what, nobody gives a fuck about someone else's kids. I'm already hard pressed giving one about the ones we already have here.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:German manufacturer? by Anonymous Coward · 2019-02-05 06:26 · Score: 0
  
  When a law passes it does not automatically ban or phase out every violation. Violations have to be found by someone first and then brought to a court of law. And when the judicial system determines that there is guilt of violation, the executive has the right to shut that particular thing down.
  This then creates a precedent that makes it easier to prosecute the same and very similar violations in the future or more difficult, depending on what the court determines.
RapeX? by Anonymous Coward · 2019-02-05 01:56 · Score: 0

RapeX, seriously? That's the best acronym they could come up with?
Words fail me by Anonymous Coward · 2019-02-05 02:05 · Score: 0

Jesus fucking christ. And this was made in Germany? I expect better from Western developers, I really do. At NO point in the conceptualisation, feasibility study, prototyping, detailed design, app development, integration, manufacturing, or testing did *ANYONE* say 'hey, we're actually encrypting this stuff, right?'
More big government by Anonymous Coward · 2019-02-05 02:08 · Score: 2, Funny

Oh look big (huge) EU government interfering in the free market. This will solve nothing that the free market wont solve much better.
1. Re:More big government by Anonymous Coward · 2019-02-05 04:12 · Score: 0
  
  Oh look big (huge) EU government interfering in the free market. This will solve nothing that the free market wont solve much better.
  Ahhhh the wise old libertarian........get lost...
RAPEX spotted by tweakers by AndyKron · 2019-02-05 02:26 · Score: 1

I'm glad they didn't has this bullshit when I was a kid.
Huawei by found404 · 2019-02-05 02:33 · Score: 1

See? That wasn't so hard to figure out from a technical standpoint. It didn't even require the resources of a nation-state to determine what was happening with the data and how easy the spyware, data-harvesting device could be accessed (note: nearly everything nowadays is a spyware, data-harvesting machine).
Instead, we continue to get Smoke & Mirrors with lots of political grandstanding and a "news media" simply parroting the same message with click-baity headlines. The military-industrial-media complex... a hell of a mindtrip.
Now if the US could start a recall of all those IoT devices and routers that have proven backdoors and mesh-like security off the market, maybe we could take their "troll-concern" message more seriously.
Other kids watches... by MobyDisk · 2019-02-05 03:17 · Score: 1

My son got such a watch for Christmas, and upon opening it and trying to read the Engrish, and finding an app that has to be sideloaded by downloading the APK from a web site... I got too skeeved out. Maybe I am just xenophobic. There's nothing inherently wrong with a Chinese app -vs- a Russian app -vs- a British app. The only reason I might trust a US or European app is that there is at least some due process of law. It's pretty unlikely that the Chinese are concerned with the locations of children in the US, as though there was some clandestine operation. But I don't have time to evaluate the basic security of something like this. I'm really glad the EU has some laws around this. In the US there is really no liability for security breaches and no organization to evaluate them.
1. Re:Other kids watches... by Errol+backfiring · 2019-02-05 03:33 · Score: 1
  
  It's pretty unlikely that the Chinese are concerned with the locations of children in the US
  I think that depends on whose kid it is. Kids often travel with their parents, so turning them into tracking devices might be interesting. Especially with the trade war with the USA, some kids might be an interesting target.
  
  --
  Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
Theses devices need to be illegal. by Anonymous Coward · 2019-02-05 04:18 · Score: 2, Informative

There is zero legitimate reason to put GPS on a child. The people who actually believe these devices can keep their children safe by keeping track of their location are the worst parents on the face of the planet. If you want to keep track of your kids, do it by actually keeping track of your fucking kids! Not putting a pedophile bait device on them. No kid under the age of 16 even needs a cellphone, let alone a stupid smart watch that doesn't even serve a real purpose for adults. They are complete gimmick devices in the first place.