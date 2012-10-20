Stories
Undocumented Backdoor that Covertly Takes Snapshots Found in Kids’ Smartwatch

posted by Fnord666 on Tuesday October 13, @01:23PM   Printer-friendly [Skip to comment(s)]
from the hidden-features dept.
Security

Freeman writes:

https://arstechnica.com/information-technology/2020/10/a-watch-designed-exclusively-for-kids-has-an-undocumented-spying-backdoor/

A popular smartwatch designed exclusively for children contains an undocumented backdoor that makes it possible for someone to remotely capture camera snapshots, wiretap voice calls, and track locations in real time, a researcher said.

The X4 smartwatch is marketed by Xplora, a Norway-based seller of children's watches. The device, which sells for about $200, runs on Android and offers a range of capabilities

[...] [Norwegian security company Mnemonic's researcher, Harrison] Sand's suspicions were further aroused when he found intents with the following names:

  • WIRETAP_INCOMING
  • WIRETAP_BY_CALL_BACK
  • COMMAND_LOG_UPLOAD
  • REMOTE_SNAPSHOT
  • SEND_SMS_LOCATION

After more poking around, Sand figured out the intents were activated using SMS text messages that were encrypted with the hardwired key. System logs showed him that the key was stored on a flash chip, so he dumped the contents and obtained it—"#hml;Fy/sQ9z5MDI=$" (quotation marks not included). Reverse engineering also allowed the researcher to figure out the syntax required to activate the remote snapshot function.

"Sending the SMS triggered a picture to be taken on the watch, and it was immediately uploaded to Xplora's server," Sand wrote. "There was zero indication on the watch that a photo was taken. The screen remained off the entire time."

Original Submission


  • (Score: 1, Funny) by Anonymous Coward on Tuesday October 13, @01:36PM (2 children)

    by Anonymous Coward on Tuesday October 13, @01:36PM (#1063968)

    The watch is marketed as waterproof and safe to wear in the bath

    • (Score: 3, Informative) by maxwell demon on Tuesday October 13, @01:56PM (1 child)

      by maxwell demon (1608) on Tuesday October 13, @01:56PM (#1063974) Journal

      I just found some (German language) offer for the watch in question. [smartwatch.de] One of the advertised properties is indeed:

      wasserfest, IP68

      The German word “wasserfest” indeed means water proof. IP68 means safe from dust and from keeping under water for 30 minutes.

      Interesting are the following claims on the page:

      keine unbemerkten Bildaufnahmen möglich
      keine Abhörfunktion

      Translation:

      no unnoticed photo taking possible
      no wiretap function

      Well, apparently both claims are blatantly false.

  • (Score: 3, Funny) by maxwell demon on Tuesday October 13, @01:36PM

    by maxwell demon (1608) on Tuesday October 13, @01:36PM (#1063969) Journal

    It's sold as a watch for children. And it contains functionality to watch children. So it's performing as advertised. :-)

  • (Score: 0) by Anonymous Coward on Tuesday October 13, @01:46PM (1 child)

    by Anonymous Coward on Tuesday October 13, @01:46PM (#1063970)

    All your "smart" devices are sending the info of you and your children to creepy and possibly evil people. Including the one I'm typing on now. Do people still not know this?

    • (Score: 2) by Rosco P. Coltrane on Tuesday October 13, @02:13PM

      by Rosco P. Coltrane (4757) on Tuesday October 13, @02:13PM (#1063979)

      It's worse than that: people know Big Data exploits rapes their privacy, IoT devices are as a secure as a lamb in a wolf-only club, devices can takes intimate pictures of them or their front door and send them to unaccountable companies, that their sensitive data is regularly "lost" by their government, hospital, social security... and they just don't give a flying fuck.

  • (Score: 2) by Rosco P. Coltrane on Tuesday October 13, @02:01PM

    by Rosco P. Coltrane (4757) on Tuesday October 13, @02:01PM (#1063977)

    Don't think of the children, for once.

