MiSafe, a smartwatch that allows parents to communicate with and track their children, is extremely vulnerable to attacks, according to security researchers. Personal information like children’s photos, identification information, and locations is at risk of being hacked.
Ken Munro and Alan Monie, researchers at Pen Test Partners, found that accessible PC software could mimic the app’s communications, allowing hackers to easily change the ID number and access accounts.
“It’s probably the simplest hack we have ever seen…I wish it was more complicated. It isn’t,”
said Munro of the MiSafe watches. Not only can hackers access the device’s data, but they can also change the settings so the watch accepts calls from unauthorized parties. On top of that, the researchers were able to change the caller ID number so hackers could pretend to be the children’s parents.
Although 14,000 unsafe MiSafe watches are in use, MiSafe hasn’t taken any action to recall their watches. Some consumer groups like the Norwegian Consumer Council (NCC) have publicly admonished insecure devices like the MiSafe watches. “This is another example of insecure products that should never have reached the market,” said Gro Mette Moen, the NCC’s director of digital services. Meanwhile, eBay has banned sales of the MiSafe watch due to their security breaches. Despite this response from both public and private sectors, the MiSafe manufacturer and its China-based supplier have not responded to interview requests from the BBC or addressed their security issues.
As advances in technology leave consumers vulnerable to attacks, federal and state laws must play a game of catch up. Currently, only one state has any laws regarding the cybersecurity of connected devices. At the end of September, California passed law SB-327, which requires manufacturers to embed their devices with security features, largely pre-programmed passwords or two-factor authentications. However, it won’t go into effect until January 1, 2020. As most people with connected devices aren’t aware that data is shared across multiple devices, according to a survey from market research company Clutch, many are left vulnerable to attacks.