8.4 | 1920 review
8.4 | 1920 review
0

Unsafe GPS watch for children

Here’s what to look out for when buying a GPS watch for children

GPS watches for children are popular. Knowing where your child is and staying in touch are the main reasons for buying such a product. We are seeing more and more negative reports about the safety of GPS watches for children. “That’s a shame because it gives a false impression of the entire product range. Using GPS watches for children is safe, but consumers do need to know which products are safe,” says Sander de Potter, CEO of Spotter®.

Münster University of Applied Sciences carried out research

Earlier this year, the Dutch Consumers’ Association published a study on GPS watches that use the SE Tracker app and are therefore unsafe. In April 2020, Münster University of Applied Sciences in Germany conducted research into the safety of GPS watches for children and published its findings in a research report entitled “STALK: Security Analysis of Smartwatches for Kids”. This revealed that a number of manufacturers are selling unsafe GPS watches for children. In this article, we discuss these security vulnerabilities and explain how GPS supplier Spotter® addresses them.Spotter® GPS watches are completely safe and do not usethe manufacturers listed below, as explained in more detail in this article.

What has the research focused on?

The “STALK” study examined six GPS watches from different brands. These were the StarlianTracker GM11, the Polywell S12, the JBC Kleiner Abenteurer, the Pingonaut Panda2, the ANIO4 Touch and the XPLORA GO. Manufacturers JBC, Polywell, ANIO and Starlian were found to be using virtually the same model, supplied by the Chinese electronics company 3G Electronics, which offers the smartwatches as white-label products.

What was the subject of the study?

The research focused on the communication between the smartwatches and the supplier’s backend system, as well as the interaction between the parents’ smartphone app and the supplier’s backend system. This interaction takes place via the smartphone’s internet connection.

Security vulnerabilities found

A number of security vulnerabilities were identified during the investigation.

Takeover of the backend

    \

  • On three of the four backend platforms, the GPS watch’s location could be ‘spoofed’. This means parents may think their child is in a different location than they actually are.

    • \

  • On two of the platforms, it is possible to ‘spoof’ voice messages from the GPS watch to the smartphone app.

    • \

  • And one backend platform could even be taken over entirely, making it possible to track individuals wearing the watch.

The backend of the Spotter® GPS watches cannot be compromised in any way. Authorisation is based on a unique username and password. This applies to all endpoints within the app. These details are transmitted via a secure SSL connection and are therefore inaccessible.

Communicating without encryption and authentication

    \

  • Smartwatches using the 3G platform communicate without encryption or authentication with the server that relays information to and from the parents’ smartphone app.

    • \

  • The backend server was also found to be vulnerable to SQL injection, which could allow an attacker to gain access to users’ private data. ANIO’s backend server does require users to log in. However, once logged in, a user can easily view other users’ data by modifying their user ID. These IDs appear to be incrementally assigned, making it easy to identify other users.

At Spotter:

    \

  • All Spotter® communications are encrypted and authorised. A secure VPN connection is used for all communications between the Spotter® GPS tracker and the platform (GSM).

    • \

  • IDs from another account cannot be retrieved on Spotter® either, due to the account-level security on the Spotter platform. This means that no data can be retrieved that is not part of the user’s own customer account, and SQL injection is also not possible.

Sending data to servers outside the EU

Another issue identified by the researchers is that 3G and ANIO send EU users’ data to servers outside the EU without disclosing this. This puts the companies in breach of the GDPR.

Spotter® uses servers within the EU and therefore complies with GDPR legislation. Furthermore, data is not made available to third parties for commercial purposes. 

 

Insecure GPS trackers

According to the research report “STALK: Security Analysis of Smartwatches for Kids”, GPS watches from these manufacturers are unsafe:

    \

  1. Manufacturer 3G Electronics

    2. \

  2. Manufacturer Pingonaut Panda2

    3. \

  3. Manufacturer ANIO4 TOUCH

    4. \

  4. Manufacturer XPLORA Go

In April 2020, these manufacturers were informed of the findings of the investigation report. Some issues have been resolved, but a number of vulnerabilities remain.

Spotter® offers a secure GPS tracker for children

Spotter® GPS children’s watches are completely safe to use. The products carry the CE mark, which means they comply with the safety requirements set out in all European Directives. In addition, the highest standards of data security are applied to ensure secure data processing. This means that the user’s privacy is fully guaranteed. Read more about Spotter®’s security and privacy here. Sources:FH MÜNSTER University of Applied SciencesConsumentenbond Security.nl