Shock around the Clock! 6 children's watches in the test

Supposed protection behind the geofence

Tracking devices that come in the form of chic smart watches with cool functions would seem to enjoy much more acceptance among children than simple GPS trackers. Accordingly, the children's watches are promoted as "adventure watches", for example. Like ordinary GPS trackers, watches like these work with a SIM card sold separately, which maintains constant wireless contact with an app on the parent's smartphone. Thus, the child or the watch can be pinpointed virtually down to the exact meter via GPS or wireless triangulation, depending upon network coverage and the device, and its location is displayed on the smartphone or via a connected Internet service.

In the apps of most of the products, safe zones are demarcated on a map via a geofencing function, e.g. the own garden or the way to school. If the GPS watch leaves this zone, an alarm is triggered. This already illustrates one problem of kid tracking: If the child removes the tracker or if it is taken away from the child and remains in the "safe zone", no alarm is triggered on the parents' cell phone. Some products try to solve this problem by sending a message to the parental smartphone when the watch is removed, analogous to an electronic ankle monitor for offenders.

Some watches not only detect whether the child is sticking to the digitally charted path but also the child's speed of movement. This enables parents to tell whether their child is dawdling on the way to school. Some apps save distances traveled and speed of movement of the watches over longer periods, up to one month and longer. This allows for the recognition of movement patterns and regularities over a long periods, however not only for parents.

Wrist phone

Thanks to the SIM card, many children's watches also feature various communications functions, such as an SOS button. If the child is in a dangerous situation, they can trigger this function by pressing a button on the watch. A distress signal is displayed on the parents' app, the current location of the watch is displayed, and a telephone connection is initiated. Parents can use it to speak with their child. When triggering the SOS button, some watches call several predetermined emergency numbers. This may be the phone number of mom, dad or grandma, or also the emergency number of the police. Some watches also offer telephone functionality for predetermined call numbers. Which means it is possible to make phone calls at the touch of a button using these children's watches.

Forbidden listening devices?

One manufacturer promotes the concealed use of the telephone function. However, behind the touted "remote voice monitoring" lurks a plain and simple listening function. With it parents can activate the microphone built into the watch, without the child's knowledge, and listen in on conversations in the background, e.g. in classroom instruction.  That was decidedly going a step too far for Germany's highest regulating authority for telecommunications. Thus, at the end of November, the Federal Network Agency classified watches having such functions as "illegal spying devices". Since then, the sale, acquisition and possession of children's watches with such clandestine telephone functions is subject to criminal penalties in Germany. The public agency also called upon buyers of these watches to destroy them.

Of the children trackers tested here, only one, ANIO, offers relevant spying functions. During the evaluation in the lab, however, it turned out that the manufacturer deactivated the listening function for the German telephone network, already prior to the regulatory ban. All other children's watches tested offered no such listening functions and are therefore not affected by the sales ban.

Loads of functions, heavy monitoring

One of the children's watches evaluated by AV-TEST monitors vital signs, including calorie consumption as well as the sleeping rhythm of the child. How valid the recording of this data is was not determined within the scope of this security test. Likewise, the AV-Test Institute did not rate to what extent all these functions, in addition to the children tracking itself, are to be deemed pedagogically useful.

Apart from all these functions, naturally all children's watches also show the date and time, with an optional analog or digital display. Which means that on a final note, the products can be used to teach children how to tell time.

Six smart watch trackers for children put to the test

The testers in the AV-TEST labs took an in-depth look at the six current GPS watches for children:

•  BELIO, GPS Children's watch, Netherlands
•  ANIO, Two WLAN Touch, Germany
•  CAT, CARL Kids, Germany
•  MyKi, GPS/GSM Children's watch, Bulgaria
•  hellOO, Children's watch, Netherlands
•  Pingonaut, Kidswatch, Germany

External communication: fake callers under this number!

One of the essential protection functions for children – namely that the caller displayed on the watch is actually the person on the line – is not fulfilled by any of the children's watches! Conversely, this means: If the watch signals to the child that there is an incoming call or text message from mom, dad, or grandma, this is not necessarily the case. In the test lab, all the watches proved vulnerable to so-called call ID spoofing. This is where criminals manipulate phone connections through gaps in the telephone protocol in such a way that a previously selected call ID number appears to the call recipient.

The faking of identities is possible through freely available apps, as well as online services such as "SpoofTel", available to anyone. The latter even offers options such as voice modulation in order to imitate familiar voices.

Be sure to keep the child's number absolutely secret!

For the sake of fairness, it is worth mentioning that these methods of faking identities are not only possible on children's watches but also on any smartphone. Unlike young people who have their own smartphones, however, children with smart watches are easier to deceive due to their younger age, and therefore they are a far more vulnerable target for attack.

Because the watches only function with SIM cards on which the PIN protection has been deactivated, attacks are even more probable then on young people’s smartphones. In the test, it was also revealed that on most of the watches, the SIM cards can be removed without hardware protection. And that is why it is child's play for attackers to identify the corresponding telephone number due to missing PIN protection. To do so, the card would simply need to be inserted briefly into one's own smartphone. Whoever has the telephone number can otherwise assume remote control over the watches, for example, via text messaging. In this respect, for example, the ANIO watch is vulnerable because its text messaging function is only protected by a standard password.

To the extent that the use of children's watches is considered at all, parents should take great pains to ensure that the number of the SIM cards used will remain a well-kept family secret. Up to a certain age, this should also apply to cell phone numbers of children.

Check fake call apps!

It is worth noting that the risk for children due to calls under faked identities could be reduced through regulation of freely available spoofing tools. Even if spoofing may be a useful research tool for journalists or lawyers, police authorities in many states warn against fraud-related crimes perpetrated by means of spoofing. In Germany, spoofing, for example, is forbidden under Paragraph 66k of the Telecommunication Act. Clear regulation of relevant spoofing software and online services that are offered in app stores usually as fun apps and enjoy a high download statistics, appears advisable.

Unencrypted and manipulable

Yet the children's watches revealed further vulnerabilities in the test that put the safety of children at risk. After all, what is accepted as a standard for the communication of simple apps is forgotten by half of the manufacturers of children's smart watches: safely encrypted communication between the children's watch, cloud servers and the parental app! As a result, three out of six watches evaluated send data and information via unencrypted connections from the watch to the server onto the app. Attackers are thus afforded the possibility via a man-in-the-middle attack, to secretly intercept and monitor information received by the parental app.

This also means that attackers eavesdropping on the communication between the watch and the app can intercept and exploit information such as the current location of the child, safety zones specified by the parents per app, messages between the child and the parents and much more. One of the watches also even adds the previously mentioned vital signs, such as sleeping behavior. Due to the unencrypted transmission, it is also possible for attackers to manipulate the parent-child communication perceived to be trustworthy. This enables them, for example, to send faked text messages.

It is worth noting that the watches from the manufacturers BELIO, MyKi and Pingonaut had a clean slate in this test category, protecting its wearers from relevant attacks thanks to encrypted communication. The ANIO watch does indeed send its data via unencrypted connections, however the data itself is not easily decipherable in plain text even for attackers. By contrast, the providers CAT and hellOO deny their customers the protection of encrypted data traffic. For both, the complete registration procedure, along with the use of the parental app, occurs unencrypted. As a result, it was possible in the lab to copy the registration and login data, as well as changes to the password.

Parental apps vulnerable to spying attempts

The security of the apps deployed for the communication between parents and children is also decisive, and was precisely evaluated in the lab accordingly. Here as well, two thirds of the watches revealed significant gaps. The app from CAT failed the app test. Among other things, this is due to the fact that it stored the login data unsecured in a log file on the SD card of the smartphone.

Login data captured in this manner offers attackers an additional opportunity to intercept information on the movement of children or to spy on and manipulate the communication. Only the provider Pingonaut, as well as the product from ANIO, were able to convince the testers in this test category. The apps from BELIO, hellOO and MyKi revealed slight vulnerabilities.

Data protection is child protection

In the course of use, the watches collect a large amount, and above all, sensitive data: Starting with the telephone numbers of the child and the people involved, in addition to location data, right down to vital signs. Based on all this information, comprehensive profiles can be created. Therefore, good data protection and an appropriately detailed privacy policy are indispensable. When reviewing the privacy policy and evaluating the apps, however, it turned out that only the providers Pingonaut and ANIO guarantee the data protection of their customers in an acceptable manner. Thus, both privacy policies promise judicious handling of user data. Pingonaut ensures anonymized processing of data and rules out its disclosure to third parties. In the app, and on the servers of the manufacturer, the location movements are also automatically deleted after 30 days. This is in direct contrast to the complete lack of an available privacy policy from hellOO. The remaining three providers were only able to earn a rating of satisfactory in this category. For instance, all three providers make no statement as to the duration of data storage.

Conclusion

The findings of this test are anything but reassuring. Solely based on the vulnerabilities resulting from call ID spoofing alone, the AV-Test Institute cannot recommend any of the tested GPS tracker watches for children.

Apart from this general risk, only the product offered by Pingonaut was able to win over the testers. A two-star rating each was in fact earned by the products from ANIO, BELIO and MyKi. The watches of the manufacturers hellOO and CAT failed due to severe security deficiencies and did not receive any of the three possible stars. Both products exhibited major defects, not only in the test category of external communication. The results of the evaluation of the app security of both providers, along with the lack of a privacy policy from hellOO, were significantly below the standard requirements.