A popular smartwatch designed just for kids has an undocumented backdoor that makes it possible for anyone to track remote camera snapshots, viral app calls and locations in real time, said one researcher.
The X4 smartwatch is sold by Explora, a Norwegian-based seller of children’s watches. The device, which sells for about 200 200, runs on Android and offers a number of capabilities, including the ability to make and receive voice calls to parent-recognized numbers, and the ability to send SOS broadcast alerts to emergency contacts at a clock location. A separate app running on a parent’s smartphone allows the child to control how the clock is used and receive alerts when they have strayed beyond the existing geographical boundaries.
But that’s not all
It turns out that the X4 contains something else: a backdoor that was unknown until some impressive digital suture. Backdoor is activated by sending an encrypted text message. Harrison Sand, a researcher at the Norwegian security company Monemonic, said that the commands exist by introducing the clock’s real-time location, taking snapshots and sending them to an Explora server, and making a phone call that transmits all sounds inside the earshot.
Sand also discovered that 19 pre-installed applications on the watch had been developed by Kihu 360, a security company based in China and an application maker. A Kihu subsidized 360 subsidiary, Kids 360 Kids Guard, also jointly with Xplore designs X4 and manufactures watch hardware.
“I don’t want that kind of functionality in a device manufactured by a company like that.” Reti said referring to the door Kador and Kihu to 360.
In June, the Kihu 360 was launched in the U.S. Was placed on the Commerce Department’s approval list. Rationale: The relationship with the Chinese government made the company “likely to engage in activities against the interests of the United States national security or foreign policy.” Kihu 360 declined to comment for this post.
Patch on the way
The existence of an undocumented backdoor in a country clock with a record known for espionage hacks is relevant. At the same time, this special backdoor has limited utility. To use the functions, one needs to know both the phone number assigned to the watch (it has a slot for the SIM card from the mobile phone carrier) and the uninterrupted unique encryption key in each device.
In a statement, Explora said it would be difficult to get both a key and a phone number for a given watch. The company also said that even if the door hardware is activated, it will be difficult to retrieve the collected data. The statement read:
We thank you for bringing the potential risk to our attention. They have sent you a report stating that Mamonic is not providing any information. We take any potential security breach very seriously.
It is important to note that the view created by the researchers requires special tools to protect the physical and accessibility of the X4 watch and the encryption key of the watch. He also needs the watch’s private phone number. The phone number for each Explora watch is determined when it is activated by the parent by the carrier, so no one involved in the manufacturing process has access to it to copy the view created by the researchers.
As the researchers explained, a person with physical access to the watch and the ability to send an encrypted SMS activates this potential flaw, the snapshot photo is only uploaded to Explora’s servers in Germany and is not accessible to third parties. The server is located in a highly secure Amazon Web Services environment.
Only two Explora employees have access to a secure database where customer information is stored and all track access to that database is tracked and logged.
The issue testers have identified is based on the remote snapshot feature included in the initial built-in prototype clock for potential convenience that can be activated by a parent after a child pushes an SOS emergency button. We have removed the functionality for all business models due to privacy concerns. Researchers have found that some codes are not completely removed from the firmware.
Since the warning, we’ve developed a patch for Explorera 4 to address this issue. Not available for sale in and on the morning of October 9 at CET. Let’s move it forward. Since then we have conducted extensive audits. We were notified and found no evidence of safety breaches being used outside of the lubrication test.
The spokesperson said that the company has sold about 100,000 X4 smart ches to date. The company is preparing to roll out the X5. It is not yet clear if it has the same backdoor functionality.
Heroic action
Sand discovered the rear through some impressive reverse engineering. It started with a modified USB cable soldered to an open pin on the back of the watch. Using the interface to update the device firmware, it was able to download the existing firmware clockwise. This allowed him to check inside the clock, including applications and various other code packages installed.
One package that stood out was titled “Personal Connection Service.” It starts as soon as the device is turned on and repeats itself through all installed applications. As it asks each application, it makes a list of objectives – or messaging frameworks – that it can click to communicate with each application.
Sand’s suspicions were further aroused when he found intentions with the following names:
- Wirelap
- WIRETAP_BY_CALL_BACK
- COMMAND_LOG_UPLOAD
- REMOTE_SNAPSHOT
- SEND_SMS_LOCATION
After further shaking, Sand discovered that the intentions were activated using SMS text messages encrypted with a Harvard key. System logs showed him that the key is stored on a flash chip, so he dropped the contents and retrieved it – “#HML; FY / SQ9A5 MDI = $” (quotes not included). Reverse engineering also allowed the researcher to figure out the syntax needed to activate the remote snapshot function.
“Sending an SMS triggered an image taken on the watch, and it was immediately uploaded to Explora’s server,” Sand wrote. “There was a zero sign on the clock that the photo was taken. The screen remained the same throughout. ”
Reti said she hasn’t activated functions for wiretapping or reporting locations, but with the extra time she said, she’s confident she has.
Both Sand and Explora note that this backdoor will be difficult to exploit, as it requires knowledge of both the unique factory-set encryption key and the phone number assigned to the watch. For that reason, there is no reason for people who may panic to have weak devices.
However, it is not beyond the realm of possibility that the key could be obtained by someone with a relationship with the manufacturer. And while phone numbers aren’t usually published, they’re not exactly private.
Backdoor eliminates the types of hazards posed by the growing number of everyday devices that run on firmware that cannot be independently inspected without the heroic measures employed by the sand. While this particular door lock is less likely to be used, those who have an X4 will do well to ensure their device installs the patch as soon as possible.