The Norwegian Consumer Council and Mnemonic, a security company, revealed that several brands of smartwatches made for children are easily hackable. In response to these findings, U.S. privacy groups have asked the Federal Trade Commission (FTC) to investigate the products' makers.
These watches are equipped with GPS capabilities that are supposed to let parents keep track of their children's locations. The Norwegian Consumer Council and Mnemonic tested the security of four of these watches; three had serious flaws. Mnemonic said in its announcement that the vulnerabilities are "not technically difficult to exploit, and in two cases, allow a third party to covertly take control over the watch."
Taking over these watches, or merely peeking at the location data they gather, could endanger children. That's the exact opposite of what these devices are supposed to do. Quoth the Norwegian Consumer Council in its own press release on the findings:
“It’s very serious when products that claim to make children safer instead put them at risk because of poor security and features that do not work properly,” says Finn Myrstad, Director of Digital Policy at the Norwegian Consumer Council. “Importers and retailers must know what they stock and sell. These watches have no place on a shop’s shelf, let alone on a child’s wrist.”
Yet at this point, the fact that these watches are easily compromised shouldn't come as a shock to anyone. Here's the common sequence of events: An internet-connected product is released, purchased by a bunch of people, and then hacked. It's gotten to the point where the FBI warned parents not to buy internet-connected toys without vetting them first, and Mattel preemptively canceled a kid-focused IoT device called "Aristotle."
There were more concerns about some of the devices. In addition to putting children's data at risk of being hacked, several of the companies' terms and conditions violate the Norwegian Marketing Control Act and the Personal Data Act by not allowing accounts to be deleted, or they were simply lacking terms and conditions. That means the data collected by these watches is just waiting to be abused to suit the companies' own purposes.
That's why the Electronic Privacy Information Center (EPIC), The Center for Digital Democracy, and other U.S. privacy groups asked the FTC to investigate the Norwegian Consumer Council and Mnemonic's findings. In a letter, the groups said "this is a real risk to children's safety" and urged the regulator to be more proactive in protecting kids from companies like this.