Backdoor In Kids' Smartwatch Makes It Possible For Someone To Covertly Take Pictures, Record Audio

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. The Register reports: This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora says. Exploiting this security hole is non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today's gizmos. "The backdoor itself is not a vulnerability," said infosec pros Harrison Sand and Erlend Leiknes in a report on Monday. "It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch."

The researchers suggest these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has actually been done. The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity (with an associated phone number). Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch. Xplora contends the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns.

With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot. Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools. This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing or opportunistic miscreants attacking gizmos in the wild, though it is an issue for persons of interest. It also highlights the kind of code left lingering in mass-market devices.

Re:

[sound+vision]

Apparently not Dora the Xplora.

Autocrats Watching Their Kids

[rtb61]

Suck it up folks, more autocratically inclined folks will tend to produce more autocratically inclined control systems for their children to keep them safe, no choice. Yeah, they would design devices with parental back doors in them. The problem being, those parental back doors are fine for computer engineers to manage and not so much for the typical technophobe parent as such end up being left wide open for hacking. I would expect a Chinese company to produce a device meant for children to have a backdoor

Baby's first iPhone comes next...

[The New Guy 2.0]

All of these "features" exist in today's cell phones... police and parents can already break in remotely if they wish. So, what's new here? The story here is that a CHINESE COMPANY is doing this. File them next to TikTok.

Re:

[kot-begemot-uk]

All of these "features" exist in today's cell phones... police and parents can already break in remotely if they wish. So, what's new here? The story here is that a CHINESE COMPANY is doing this. File them next to TikTok.

1. The fact that it can be done means that it runs ancient Android. This facility has been removed from Android for quite a while exactly for this reason. From 7? or was it 6? you need to use the Google Services framework for that - applications cannot read SMS. If it runs Android THAT old, it has a gazillion of other backdoors

2. Prior to Google removing the ability for Apps to read SMS, activation by SMS was the standard means for "find my device" applications to receive a wake-up event. So the fact that

Re:

[ArsenneLupin]

From 7? or was it 6? you need to use the Google Services framework for that - applications cannot read SMS. If it runs Android THAT old, it has a gazillion of other backdoors

At least as of Android 9, applications still can read SMS. It's discouraged (if an application is known to do that, it will not be listed in Google Playstore), but if you kept an old application, or installed it manually from apk, it still can read SMS.

Case in point: TermuxAPI. Although current version no longer can read SMS, old versions can, even on Android 9.

Finally!

[Rosco P. Coltrane]

an opportunity to have a discussion about surveillance technology in which nobody can pull the "think of the children" line.

"Security flaw"

[lordlod]

> Xplora takes privacy and any potential security flaw extremely seriously

I love the company treating this deliberate included feature as a security flaw. "One of our developer's buffers overflowed and a bunch of spyware was magically inserted into the firmware." /s

I assume the real flaw they are talking about was that somebody managed to dump the firmware image.

It does mean that people can be hacked

[kbg]

This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing

What? Yes this does mean exactly that. Qihoo has a list of all the encryption keys and can easily get the corresponding phone number from the app. This means that all employees of Qihoo can watch and take pictures of these kids at any time and under orders from Beijing can supply these codes to the chinese government.

Wrong conclusion

[sonamchauhan]

"Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key" ..."means ordinary folks aren't going to be hacked"

So normal people can't be hacked -- based on what? The privacy of their phone number? How is that private when Chinese app harvest phone numbers en-masse.
https://www.gizmochina.com/201... [gizmochina.com]
And a parent would definitely have their child's phone number on speed dial.

So it is entirely possible Chinese government agencies (or other parties) can access both: the watche's factory-set encryption key and phone numbers of most target devices.

Skeptical.

[Truth_Quark]

Xplora contends the security issue is just unused code from a prototype and has now been patched.

I find that difficult to believe. Is anyone here involved in coding an analogous device, who could attest to plausibility?
Developing the code as part of the prototype is difficult to understand without malignant intent at some point.

Re:

[MrL0G1C]

If it was patched out then the back door wouldn't be there. If the backdoor wasn't there then the security firm wouldn't of found it. They also lied and called it an accidental vulnerability when it is clearly a deliberate back door.

They lied about it's creation and they lied about it's removal.

I wouldn't be surprised if devices with backdoors like this were being used to spy on pro-democracy Hong-kongers.

Re:

[karpis]

Nonsense, for prototype you don't use encryption - just plain SMS. Just why bother? Worked with those kind of devices and upper management wanted backdoor and I said that sooner or later it would be exploited and was very happy that they accepted my point. Few years later (I was already left), rogue partner wanted to overtake devices ant then I had huge grin on my face.

Why exactly does a kid need a condscendingspywatch

[BAReFO0t]

I mean even the watch part doesn't make sense.

Bad parenting.

[AndyKron]

Any parent that thinks they need to electronically track their children shouldn't have children IMO.