Parents could be unwittingly putting their children's safety and privacy at risk, thanks to security vulnerabilities in potentially millions of kids' GPS-tracker watches.

These cheapo watches are supposed to be worn by the youngsters, and use SIM cards to connect to cellular networks. The idea is they beam to backend servers the GPS-located coordinates of the wearer so their parents can, via a website or app, find out where the tykes are at all times.

The devices also display any messages and take calls from guardians, can listen in on a child's activities using a microphone, and warn if the kid has strayed out of a particular area, such as the playground.

However, an investigation by British security shop Pen Test Partners has shown that the software used by a smartphone app that communicates with the watches is so poorly coded that the connections are easy to hijack. This means miscreants can snoop on kids as if they were their parents.

[...] "We believe that in excess of a million smart kids tracking watches with similar vulnerabilities are being used, possibly in excess of 3 million globally," said researcher Alan Monie on Tuesday. "These are sold under numerous brands, but all appear to use remarkably similar APIs, suggesting a common original device manufacturer or ODM."