Norwegian Consumer Council Releases Alarming Report on Child Smartwatch Privacy and Security Failures

by Stephen Schroeder - Nov 09, 2017 Category: Devices
GPS Tracking for Employees and Business

Free Premium Business Account:

Take our quick 5 question survey and get a premium Business Account free for 3 months and 50% off for life in appreciation for your early adopter interest in Turtler.

GET FREE BUSINESS ACCOUNT

At Turtler we are going above and beyond to make both our mobile application and our Turtler SHELL GPS device the absolute best for personal data and security.

We study existing devices and services to ensure we're actually at the forefront when we launch Turtler next year and we are consistently surprised by the predictable errors and security gaps that are prevalent in existing GPS and mobile telephony devices and especially those meant for children.

The state-supported but politically independent Norwegian Consumer Council (NCC) has published a recent research report called WatchOut seeking to push reform in the regulation of GPS smartwatches with calling features. They are referring the manufacterers to be reviewed by the Norwegian Data Protection Authority and the Consumer Ombudsman for breaches of the Norwegian Personal Data Act and the Marketing Control Act.

..
Norwegian Consumer Council WatchOut Child Smartwatches Report

Pretty serious stuff, and their initiative has sparked more awareness in the US, with seven advocacy groups including the Electronic Privacy Information Center (EPIC), The Center for Digital Democracy, the Campaign for a Commercial-Free Childhood, and The Consumer Federation of America joining together in an open letter to the Federal Trade Commission (FTC) pushing for increased oversight of child telephony smartwatches and services.

In a nutshell, the NCC report purports that:

"Devices that use the Internet to allow real-time location tracking of, and direct communication with, young children, and which store names, photos and continuous and historic geolocation data, should have strong safeguards in place. This entails not only a high level of security to avoid unwanted access, but also a robust framework to ensure that data protection laws and the privacy rights of children are respected and upheld. Three out of the four watches that were analyzed fall short in both respects."

 

And we couldn't agree more. The Norwegian Consumer Council and the IT security firm Mnemonic summarize their extensive report on child smartwatches thusly:

 

Critical Security Flaws

"The tests done by Mnemonic have uncovered critical security flaws in three of the apps and devices. As detailed in Mnemonic's report, two of the devices have flaws which could allow a potential attacker to take control of the apps, thus gaining access to children’s real-time and historical location and personal details, as well as even enabling them to contact the children directly, all without the parents' knowledge. Additionally, several of the devices transmit personal data to servers located in North America and East Asia, in some cases without any encryption in place. One of the watches also functions as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that this is taking place."

 

A False Sense of Security

"We have also found that the advertised safety-enhancing features, such as an SOS button that alerts the parents if the child is in distress, and a geofencing function that sends an alert whenever the child enters or leaves a designated area, were unreliable. In practice, this means that the device might in fact provide a false sense of security. This is especially disconcerting since the smartwatches are meant to provide peace of mind for the parents who purchase the devices."

 

Lack of Respect for Consumer Rights

"Inadequate and unclear user terms deny consumers their basic consumer and privacy rights when engaging with these products. Only one of the services actually asks for consent to data collection, none of them promise to notify users of any changes to their terms, and there is no way to delete user accounts from any of the services. At least one of the companion (Xplora)apps also allows children’s personal data to be used for marketing purposes, while the other three are unclear about how this information may or may not be used. Additionally, one of the services (Gator) transmits unencrypted children’s location data to China. Together, these issues constitute several breaches of European data protection and consumer protection laws."
Norwegian Consumer Council summary of terms found for child smartwatches
..
Norwegian Consumer Council summary of terms found for child smartwatches

 

Chaotic Market

"Additionally, the abundance of smartwatches for children available internationally, with cheap Chinese products being imported and rebranded by a vast number of local retailers, makes it difficult to obtain a clear picture of who is responsible for the various products. For example, several different smartwatches for children use the same app as the Viksfjord watch, the SeTracker app. Some of these devices are seemingly identical to Viksfjord, but are sold under different names on a worldwide basis. As far as we can tell, all the watches using the SeTracker app have the same security and privacy vulnerabilities as the Viksfjord.

Overall, we have uncovered many serious problems with smartwatches for children. It seems clear that consumers currently should think twice before purchasing these or similar devices.

The findings also serve to illustrate the emerging problems facing consumers in the world of connected devices, and the need to make sure that product safety regulations also apply to products with digital components."

 

How Will Turtler Be Better?

We are putting privacy and security at the forefront of our features, it's the most important feature. Before sending one's personal location the framework to share that location should be private, the connection secured, and the data encrypted.

We'll cover here the issues they found with other devices and compare them with the differences in our engineering that make Turtler more secure:

- Potential attacker can take control of the apps:

The Turtler app is locked so that access to the app requires entering a password, fingerprint, or facial recognition sign in. The connection of a device to an app owner cannot be changed without email verification from the original device purchaser. To access the app plus device, the password and email steps would both have to be circumvented. In addition, 2 factor authentication can be used with Turtler for example authorizing settings changes or for disconnecting a device to release it to be tethered to another app user. 

- Devices transmit personal data to servers located in North America and East Asia, in some cases without any encryption in place. One of the services (Gator) transmits unencrypted children’s location data to China:

Turtler's servers are in Zurich, Switzerland at a Tier 3 data center with the highest ISO 27001 certification qualifying it for financial sector use. A critical security feature is our automatic, ongoing deletion of location information unless it is specifically and purposefully saved otherwise by users. So there isn't a history of places visited and routes taken in Turtler as that data is constantly purged. Any data that is saved is encrypted with AES 256 bit encryption.

"Under European data protection regulations, continuous location data, especially when combined with other information such as a unique identifier, is considered personal data. This means that such information merits special protection under European legislation, and appropriate measures must therefore be taken to protect the privacy of consumers."
..
NCC #WatchOut Report
 - Watches function as a listening device, allowing the parent or a stranger with some technical knowledge to audio monitor the surroundings of the child without any clear indication on the physical watch that this is taking place:

This feature does not exist in the Turtler SHELL, the device microphone used for calling cannot be activated apart from a regularly received phone call by the user.

- Advertised safety-enhancing features, such as an SOS button that alerts the parents if the child is in distress, and a geofencing function that sends an alert whenever the child enters or leaves a designated area, were unreliable:

We are going to great lengths to maximize the uptime and reliability of our device's calling and location transmitting features. In our testing so far the device is working as well as regular mobile phones with connectivity dependent on the quality of network coverage. 

- Inadequate and unclear user terms deny consumers their basic consumer and privacy rights:

The Terms and Conditions from Turtler are very customer friendly and clear on all points that personal data will never be shared with third parties, not used for marketing purposes, and never infringe on the user's privacy. Turtler is committed to delivering quality location sharing and GPS tracking services that only access and share the minimum and the specific information that uses choose to share - and only with whom they wish to share it. 

- No way to delete user accounts:

We give a clear process in the user application and accounts how to delete an account and ensure that when doing so that all personal data is deleted along with the account.

- One of the apps allows children’s personal data to be used for marketing purposes while the other three are unclear about how this information may or may not be used:

Peronal data in Turtler will never be shared with advertisers. They will not be able to see any information that is personally identifiable or distinguishable. Companies may pin their locations and events within Turtler, but this is only a one-way presentation of information, and they will never be able to see the personal info of others. 

- The abundance of smartwatches for children available internationally makes it difficult to obtain a clear picture of who is responsible for the various products. For example, several different smartwatches for children use the same app as the Viksfjord watch, the SeTracker app:

Many GPS device and smartwatch sellers only rebrand devices bought off the shelf or online from manufacturers without adequate testing, quality assurance or controls to ensure they will work at global standards. Further, most only rebrand outdated and buggy apps.

At Turtler we are working closely with our manufacturing partner to ensure the highest quality, performance and value. We are backing our product with a 1 year warranty and 3 month satisfaction guarantee. Our applications are wholly developed by us, in house, over an extensive user testing process.

Serious Security Risks Discovered with the Child GPS Smartwatches

In the Norwegian Consumer Council and IT security firm Mnemonic #WatchOut video at the top of the article they pinpoint 5 main areas for concern in their testing. These are the main takeaways for us from each section that help caution us for concern areas as we finish developing Turtler:

1. Unauthorized access

"An attacker needs a unique identifier, or an IMEI, for the watch and you use that as part of the registration process. You type in the verification code, forward the request along to the server, and now I've associated the watch with a new account that didn't originally have access to it. You do not need physical access to the watch to get the IMEI number." - Harrison Edward Sand, IT Security Expert, mnemonic

 

2. Remote audio surveillance

"We identified that there is the possibility to use these devices as a spy device, without the kid ever having to activate any functions on the watch or even being aware that something is happening." - Harrison Edward Sand

 

3. Location spoofing

"An attacker would have access to all the location history that would be stored in that parent's app. We also identified some other problems with location history where an attacker can manipulate where the location of the watch looks to be in the app... you can see all the location history. We can also change the location data sent from the watch and the device's server." - Harrison Edward Sand

 


4. SOS compromised

"We did identify some problems with the emergency functionality. Normally a child can press the emergency button and it would initiate a phone call back to the parent, but an attacker with control over the app could change the phone numbers that are supposed to be called or they could just delete them entirely." - Harrison Edward Sand

 


5. Insecure Data Storage 

Is the information stored safely? - "Not as safely as you might think. On some of the watches the communication was not encrypted, so anybody sitting on the network could see that information passing back and forth. Some of the servers don't protect the information the way it should be. With one of the watches, it was actually possible to return data for other users and see location information about other people." - Harrison Edward Sand

 

Conclusion

The NCC report is full of cautionary info for parents and manufacturers alike. There are too many security and privacy holes and errors in the GPS child smartwatch ecosystem. A higher quality focus is a must if these products are going to continue fitting the communication and location awareness gap for children who aren't ready for grown-up mobile phones. Attention must always also be paid to the privacy rights of children as they are the wearers of the devices after all and aren't as able to voice or understand the consequences of carrying the devices and the connections and location data they create.

At Turtler we aim to learn from these studies and concerns and make a better product.