Security researchers at AV-Test have discovered a major security flaw in a smartwatch currently available in the market. This security flaw is responsible for exposing extremely sensitive information online. The offending smartwatch does not belong to a mainstream company such as Apple, Google, Fitbit, or others. Taking a closer look, researchers found this flaw in the SMW-WATCH-M2, a smartwatch made by Shenzhen Smart Care Technology (SMA). The issue allowed access to real-time location data recorded on the wearable along with personal information.
Chinese smartwatch security flaw details
The leaked personal information includes the name, address, age, and images of the user. However, what is even more problematic is the fact that these smartwatches were aimed at children. Security researchers confirmed that they were able to access the location data of “more than 5,000 children” across the globe. The SMA-WATCH-M2 functions as a GPS tracker with the help of a SIM card. Most parents use it to keep track of their children. Lack of security also allowed security researchers to listen and even manipulate the confidential conversations. This confirms the widespread concerns with cheap China-made IoT devices.
Watch: Top 5 smartphones to launch in December 2019
As per the report, such Chinese IoT devices fail to meet even the bare minimum IT security and privacy standards. Maik Morgenstern, the CEO and Technical Director of AV-TEST shared the details of security problems with SMA-WATCH-M2. Maik noted that all the data including user and location data was left unprotected on the SMA server in Shenzen. As previously noted, this includes unsecured and unencrypted voice and location data.
Pearl, the German supplier of the Chinese smartwatch took it off the shelf after the initial discovered. In addition, AV-TEST also gave a month-long notice to SMA to fix the gaping security holes in their wearable. However, SMA continues to distribute the product without fixing the problems. Researchers were able to access all the data through “a completely unsecured online interface” on the server. They also noted that the number of affected users may be much higher because many importers distribute the smartwatch as a private brand in different countries.