Slashdot Mirror

← Back to Stories (view on slashdot.org)

EU Orders Recall of Children's Smartwatch Over Severe Privacy Concerns (zdnet.com)

Posted by BeauHD on from the that's-a-first dept.

An anonymous reader quotes a report from ZDNet: For the first time, EU authorities have announced plans to recall a product from the European market because of a data privacy issue. The product is Safe-KID-One, a children's smartwatch produced by German electronics vendor ENOX. According to the company's website, the watch comes with a trove of features, such as a built-in GPS tracker, built-in microphone and speaker, a calling and SMS text function, and a companion Android mobile app that parents can use to keep track and contact their children. The product is what most parents regularly look in a modern smartwatch but in a RAPEX (Rapid Alert System for Non-Food Products) alert published last week and spotted by Dutch news site Tweakers, European authorities ordered a mass recall of all smartwatches from end users citing severe privacy lapses. "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data," said authorities in the RAPEX alert. "As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed." On top of this, authorities also said that "a malicious user can send commands to any watch making it call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS."

27 of 43 comments (clear)

  1. privacy? How about safety? by flappinbooger · · Score: 1

    That "feature list" / "bug list" sounds like a predator's wet dream.

    --
    Flappinbooger isn't my real name
    1. Re:privacy? How about safety? by Anonymous Coward · · Score: 1

      The RAPEX alert is a safety alert.

      Safety Gate: the rapid alert system for dangerous non-food products

      The Safety Gate rapid alert system enables quick exchange of information between 31 European countries and the European Commission about dangerous non-food products posing a risk to health and safety of consumers.

    2. Re: privacy? How about safety? by Anonymous Coward · · Score: 1

      Still waiting for an explanation of how you get "RAPE-X" out of that word salad.

    3. Re: privacy? How about safety? by Immerman · · Score: 1

      Presumably it wasn't named in English. Like how we get SI units from "International System of Units" (from the French Le Système International d'Unités). That's

      --
      --- Most topics have many sides worth arguing, allow me to take one opposite you.
  2. "trove" of features by quenda · · Score: 1

    a trove of features, such as a built-in GPS tracker, built-in microphone and speaker, a calling and SMS text function,

    So like a phone except you cannot airdrop dick pics?

    1. Re:"trove" of features by Opportunist · · Score: 3

      So like a phone except you cannot airdrop dick pics?

      Is that a challenge?

      Hold my beer.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  3. Is that all? by Errol+backfiring · · Score: 1

    Won't the company be punished for massive privacy violations? In other words: can any other company do the same thing tomorrow and totally get away with such sloppy security? If it is your trade, ignorance is not an excuse. A company that sells communication devices must know how to secure them.

    --
    Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    1. Re:Is that all? by Drethon · · Score: 1

      Won't the company be punished for massive privacy violations? In other words: can any other company do the same thing tomorrow and totally get away with such sloppy security? If it is your trade, ignorance is not an excuse. A company that sells communication devices must know how to secure them.

      I'm a little curious about the "massive" privacy violations. Are we talking security holes that require years of brute force to break, or something that can be hacked in seconds by a script kiddy? Based on the article saying the data is unencrypted, it seems like the latter.

    2. Re:Is that all? by jeremyp · · Score: 1

      From the summary:

      "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data," said authorities in the RAPEX alert. "As a consequence, the data such as location history, phone numbers, serial number can easily be retrieved and changed."

      So I'd say we are talking about backend data that can be hacked in seconds. Except "unauthenticated access" suggests no real hacking is required. That is a huge privacy concern. Furthermore, an attacker can change things, so presumably, they could easily impersonate a parent. I'll leave predicting the consequences as an exercise.

      --
      All I want is a secure system where it's easy to do anything I want. Is that too much to ask ~~ Randall Munroe
  4. Not even half-assed security by Anonymous Coward · · Score: 2, Insightful

    How hard is it to use https and prepared statements? (I work in a small company and use prepared statements to prevent accidental SQL injection from a stray quote or similar) Why is the history data editable? Did they just give the app access to the database connection?

    1. Re:Not even half-assed security by jellomizer · · Score: 1

      It is a German Company.
      Germans are Good Engineers.
      Engineers are really bad programmers.
      Obvious trolling aside....

      Like most commercial software products (built anywhere in the world) business owners wants to get the product out the door as fast as possible. And will often rush to release the prototype software as the full live feature. I know by experience that it is very tough to convince executives that while your prototype works and shows off all the features, it will take a few month more of development to get it ready for release, not to add features, but get it to work faster, fix the holes that were created for debugging reasons, and setup hooks for new features and expansion that is planned or expected. As far as the Executive is concerned it is a product you can sell now, and fix later. The sooner you can get the product to the market that better.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Not even half-assed security by Opportunist · · Score: 1

      The answer to this is simple: Making something work is easy. Making something work securely is hard. Something that's hard to implement takes good engineers. Good engineers cost more money.

      Need I go on or is the wall the train of thought is about to hit obvious?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    3. Re:Not even half-assed security by Anonymous Coward · · Score: 1

      It is a German Company.
      Germans are Good Engineers.
      Engineers are really bad programmers.
      Obvious trolling aside....

      Oh, it's far worse than that ...

      Bernieri pointed out that ENOX doesn't even appear to be in control of the Android app that ships alongside with its smartwatches, the app being owned by a Chinese developer who used the app's privacy policy URL to link to their own LinkedIn profile instead, showing little regard for EU's privacy regulation.

      This is straight up "we hired some guy in China who clearly doesn't give a fuck about security.

      This is yet another example of lazy assholes, trying desperately to get a product to market, and not even giving a shit about quality.

      In this case, ENOX has basically outsourced the app to some asshole who cares even less.

      This tells you everything you every need to know about ENOX .. they're lazy, greedy, and don't give a fuck about you as long as you but their product. Basically, ENOX is managed by assholes and should not be trusted with pretty much anything.

      Management just outsourced this and didn't take any basic steps to even pretend to give a fuck about security, just profit.

      So, fuck ENOX.

    4. Re:Not even half-assed security by Opportunist · · Score: 2

      China doesn't give a fuck about anything. There is one thing China is really good at: Making millions of copies from a design. What they're really NOT good at is designing themselves. Twice so if it's 100% for a foreign market, they don't give even half a shit about anything that doesn't end up in their own country.

      Much like everyone else, when you think about it...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Not even half-assed security by drinkypoo · · Score: 1

      China doesn't give a fuck about anything. There is one thing China is really good at: Making millions of copies from a design. What they're really NOT good at is designing themselves.

      I'd say engineering, not designing. For example, China is said to have great automotive designers now. Sure, until fairly recently they just copied everyone else, but not any more.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    6. Re:Not even half-assed security by TheCastro1689 · · Score: 1

      They love to over engineer.

  5. German admins/developers by MTEK · · Score: 1

    "The mobile application accompanying the watch has unencrypted communications with its backend server and the server enables unauthenticated access to data"

    "I was just following orders!"

    1. Re:German admins/developers by Opportunist · · Score: 1

      You're so 1940. Germany 2020 is more akin to "Yes, we COULD of course do that but that costs more. Is there a law that makes us? No? Is there a lawsuit pending if we fuck up? No? Then why the heck are you bothering us with such petty nonsense?"

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. German manufacturer? by Opportunist · · Score: 2

    I thought the watches are already banned in Germany since their law identifies them as covert surveillance devices (which are illegal in Germany... unless you're the government, of course)?

    But it's about effin' time these security nightmares get outlawed. Dear helicopter parents: Fuck you.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:German manufacturer? by Anonymous Coward · · Score: 1

      At least our children privacy is protected when another little girl ends up getting raped in a refugee shelter. Thank god our government has their priorities straight!

    2. Re:German manufacturer? by Opportunist · · Score: 1

      I agree. Guess what, nobody gives a fuck about someone else's kids. I'm already hard pressed giving one about the ones we already have here.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. More big government by Anonymous Coward · · Score: 2, Funny

    Oh look big (huge) EU government interfering in the free market. This will solve nothing that the free market wont solve much better.

  8. RAPEX spotted by tweakers by AndyKron · · Score: 1

    I'm glad they didn't has this bullshit when I was a kid.

  9. Huawei by found404 · · Score: 1

    See? That wasn't so hard to figure out from a technical standpoint. It didn't even require the resources of a nation-state to determine what was happening with the data and how easy the spyware, data-harvesting device could be accessed (note: nearly everything nowadays is a spyware, data-harvesting machine).

    Instead, we continue to get Smoke & Mirrors with lots of political grandstanding and a "news media" simply parroting the same message with click-baity headlines. The military-industrial-media complex... a hell of a mindtrip.

    Now if the US could start a recall of all those IoT devices and routers that have proven backdoors and mesh-like security off the market, maybe we could take their "troll-concern" message more seriously.

  10. Other kids watches... by MobyDisk · · Score: 1

    My son got such a watch for Christmas, and upon opening it and trying to read the Engrish, and finding an app that has to be sideloaded by downloading the APK from a web site... I got too skeeved out. Maybe I am just xenophobic. There's nothing inherently wrong with a Chinese app -vs- a Russian app -vs- a British app. The only reason I might trust a US or European app is that there is at least some due process of law. It's pretty unlikely that the Chinese are concerned with the locations of children in the US, as though there was some clandestine operation. But I don't have time to evaluate the basic security of something like this. I'm really glad the EU has some laws around this. In the US there is really no liability for security breaches and no organization to evaluate them.

    1. Re:Other kids watches... by Errol+backfiring · · Score: 1

      It's pretty unlikely that the Chinese are concerned with the locations of children in the US

      I think that depends on whose kid it is. Kids often travel with their parents, so turning them into tracking devices might be interesting. Especially with the trade war with the USA, some kids might be an interesting target.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
  11. Theses devices need to be illegal. by Anonymous Coward · · Score: 2, Informative

    There is zero legitimate reason to put GPS on a child. The people who actually believe these devices can keep their children safe by keeping track of their location are the worst parents on the face of the planet. If you want to keep track of your kids, do it by actually keeping track of your fucking kids! Not putting a pedophile bait device on them. No kid under the age of 16 even needs a cellphone, let alone a stupid smart watch that doesn't even serve a real purpose for adults. They are complete gimmick devices in the first place.