How does a GPS watch work?
Simple. A parent can always see where the child is via an app on the smartphone. You can set two different emergency numbers in the watch that the child can use to ask for help if necessary. In addition, you can also add additional phone numbers in many GPS watches, that will be added to the watch’s digital address book. Because you can make calls with the device, the GPS watch needs a SIM card. And it is precisely this SIM card that creates risks for privacy, security and high costs for many of the watches tested.
The models tested were:
- Q90: available from AliExpress
- Q50: available from AliExpress
- One2track Connect Go: available from One2track
- Belio Touch Kids – GPS Child’s Watch: Available from BOL.com
Here at Qbit Cyber Security we found multiple security flaws in every watch tested. All watches tested had flaws that allowed them to work with a SIM card but without a pin code. Why is this a problem? Well, a thief could transfer the SIM card to their own phone and make phone calls and use the internet at the parents’ expense. With a sky-high telephone bill as a result.
In addition, with two watches, the Q50 and Q90, a more serious defect was found: anyone who knows the mobile number of the watch can take full control of the watch by simple sending a few text messages to the number. The hacker can then read the location, monitor the child, edit the contact list, edit the emergency number and even switch off the watch. That hacking is literally and figuratively child’s play in this case, is evident from the fact that the text messages that allow you to do this are easy to find via Google.
Do you want to know what the safety flaws of each watch are? Read the article on the website of the Consumentenbond.
The manufacturers were shown the outcomes of the testing and invited to make a response. Those responses have been varied. For example, One2track, the company that sells the One2Track Connect Go, responded quickly and took our conclusions seriously. They immediately started working on our findings and released an update in a short time, which shows that they have improved many things. The biggest concern, encryption, has also been neatly resolved; all traffic now runs through a secure and up-to-date protocol.
Unfortunately, the manufacturer’s response to the weaknesses in the Q50 and Q90 failed to materialize. Even after repeated reminders, they did not return any contacts. The issues with those watches are so risky that the Consumers’ Association strongly advises against the use of the Q50 and Q90. Note: The Q50 and Q90 are available under different brand names. You can read which these are in the article of the Consumentenbond.
What can you do yourself?
Does your child have one of the tested GPS watches? Then consider purchasing a different brand. But, if you want to continue using the current model then we recommend that you always observe the following points for the safety of your child:
- Make sure the phone number cannot be retrieved by others.
- Put a limit on the maximum monthly amount of money spend for this telephone number.
- Zet een limiet op het maximale maandbedrag van het abonnement van dit telefoonnummer.
- Choose a difficult password of at least twelve random characters or use a passphrase of 20+ characters.
Qbit Cyber Security services for manufacturers
Are you an IoT device manufacturer and would you like to have the device’s safety tested by our ethical hackers? Please contact contact us.