Backdoor found in children’s smartwatches Xplora

Wednesday, October 14, 2020, 2:16 GMT

Experts from the Norwegian company Mnemonic are sure that they have discovered a loophole developed by the Chinese company Qihoo 360 Technology Co., particularly integrated in the Xplora 4 children’s smartwatch. The watch will take pictures and record music, as it turns out, and these features are enabled via an encrypted SMS address.

About 350,000 of these Android devices have so far been sold, according to the vendor, allowing you to make and receive voice calls to parent-approved numbers, as well as send alarm and meta location data to specified contacts. A separate software running on the smartphones of parents allows you to track the watch’s usage and get warnings if the child leaves a certain geographical location.

While the watch is sold by Xplora Mobile AS in Europe and the United States, the hardware is developed and assembled by the aforementioned Chinese company Qihoo 360, and it is also responsible for the production for these watches of 19 out of 90 pre-installed Android apps.

The backdoor itself, “the researchers write,” is not a weakness. -This is a series of purposefully crafted functions with matching names that allow you to take a snapshot remotely, record a location and coordinate a wiretap. By sending SMS orders to the watch, the backdoor is triggered,’ says Mnemonic.

Researchers claim that smartwatches can be used to use the built-in camera to covertly take pictures, to monitor the wearer ‘s location, and to listen to phone calls via the built-in microphone. WIRETAP INCOMING, WIRETAP BY CALL BACK, COMMAND LOG UPLOAD, REMOTE SNAPSHOT, and SEND SMS LOCATION are the listed speech function names.

It is not believed by scholars that such an observation necessarily took place. The truth is that you need to know not only the device’s phone number (the watch has a SIM card), but also the special encryption key for a successful attack. At the same time, it is stressed that this data is open to Qihoo 360 and Xplora developers and can even be physically collected using special tools from smartphones.

In particular , researchers worry about the fact that Qihoo 360 was included in the US Department of Commerce’s sanctions list earlier. US officials claim that the Chinese government may have pressured the corporation to participate in “activities contrary to the needs of U.S. national security or foreign policy.” Potentially, that is, the Chinese authorities may insist that the backdoors concealed in the clock be triggered.

Reporters in the Registry quote a statement from members of Xplora who say that the issue was related to the remains of the prototype forgotten in the code. During the creation of the device, parents reportedly suggested that they would like to be able to reach their children in an emergency, as well as to collect location information in the case of a kidnapping. Later, they agreed, for safety concerns, not to incorporate this feature in the consumer version of the units.

Xplora also stressed that the issue had already been fixed: a corresponding patch was issued for the watch at the end of last week.

It’s important to remember that physical access to the X4 watch and [knowing] the phone number are needed for the possible weakness, “says an Xplora spokesperson.” — Even though this feature is enabled, Xplora servers in Germany, situated in a highly protected Amazon Web Services environment that is not open to third parties, are the only location where the data can be situated. The protected database where customer information is kept is open to only two Xplora employees and access to that database is carefully monitored and registered.