I suggest the title be change from "easy to hack" to "easy to compromise" - I was hoping to see that someone had created a custom firmware for them or something :(
As much as "hackers" wish to keep the word hacker to mean what it used to mean, I think "hacking" has fully entered the English lexicon with the meaning as used in the headline. No amount of complaining and correcting can change that now. It still means what it used to in some circles, but the primary meaning is hacking as in cracking.
Just like we will "literally" never get the literal cat back in the bag.
Who in that company would be liable, should there ever be an incident where a child is tracked, abducted and harmed utilizing this gps device? Just the CEO, or will board members also feel shared pain?
If the corporate info in the terms of use are accurate (Shenzhen Langya Electronics Co., Ltd registered in the Republic of Ireland) then the company would already be bankrupted and assets transferred to a duplicate company in the time it takes a prosecutor lick the envelope
Edit: This ToS is hilarious
No Data Mining or Harmful Code.
You agree that you will not
(a) obtain or attempt to obtain any information from the Service;
(b) intercept, examine or otherwise observe any proprietary communications protocol used by the Service, whether through the use of a
network analyzer, packet sniffer or other device; or
(c) use any type of bot, spider, virus, clock, timer, counter, worm, software lock, drop dead device, Trojan-horse routing, trap door, time
bomb or any other codes, instructions or third-party software that is designed to provide a means of surreptitious or unauthorized
access to, or distort, delete, damage or disassemble the Site or the Service.
I'd like to remind of a few priority items if you're in the US:
1. We desperately need to fix incentives for prosecutors. We as a people need to decide what we are trying to optimize for because I'm pretty sure we are not trying to optimize for a near 100% conviction rate. Prosecutors and attorney generals are humans and they react to incentives.
2. We must repeal the CFAA. While an appeals court has apparently ruled that a terms of services (TOS) violation is not a criminal offense, because we have not fixed 1 (above), this will continue to be a problem. As impossible it might seem to repeal, I think it is much easier than to do 1.
Some people might say that we need the CFAA in some form and that we just need to amend it. Say no to such calls for "moderation". You wouldn't pick the "middle road" between being alone and being dead. I want to be very much alive. The "middle way" of pleasing everyone doesn't always work.
Repeal the CFAA (and don't replace it with anything).
Someone wanting to abduct a specific child is, contrary to popular belief, multiple orders of magnitude more common than someone wanting to abduct an arbitrary child.
Exactly. This past Halloween our neighborhood bulletin board lit up with people freaking out about young children trick-or-treating unsupervised. Someone even cited registered sex offender statistics.
Trying to explain to them that it was more likely that a child would be kidnapped by a friend or family member - or to die in an auto or airplane accident - was seemingly impossible.
Without this device, they have to drive up, close and personal. They have to essentially stalk their victims. There is a greater chance of getting captured on CCTV or having eye witnesses that might get their license plate.
With this device there are a few problems:
1) Parents will have a false sense of security. They may let their child wander off a litter farther, possibly out of view.
2) The abductors can passively determine which kids are likely to be farther away from their parents and determine the safest path to extract their victim.
In terms of being silly: This could be a former (abusive) parent that is legally blocked from seeing their kid unsupervised. This is the most common scenario and many of the amber alerts are for this.
In my opinion, if parents are going to rely on something like this, it needs to use military grade encryption and military grade implementation / process and be pentested by numerous independent researchers and come with a multi-million dollar guarantee that it can not be compromised. If that is too difficult with current tech, then this device should not exist. Rather, parents will need to stay with their children until their children are able to defend themselves.
No, the article specifically states "Germany’s telecommunication agency, the Bundesnetzagentur, has banned smartwatches for kids, and is asking parents to destroy them." It used the fact that these are listening devices, yes, but the ban as stated sounds quite absolute.
The Bundesnetzagentur does not have the capacity to ban random devices for children.
They banned these devices because they are essentially bugs/covert listening devices and are even marketed as such. Devices that look innocious (such as children's watches or teddy bears) but in reality are covert listening devices are banned in Germany by §90 TKG. [1]
This is why the Bundesnetzagentur banned the smartwatches in question. They even cited cases in which these watches were used to monitor teachers in classrooms. [2]
"Normal" smartwatches are NOT banned. "Normal" smartwatches for children are also NOT banned. Only watches with monitoring functions fall under the §90 TKG law. [3]
Note that using an app to bring covert listening functionality to a phone or watch also converts that device into an illegal listening device.
And other articles state that it is only smartwatches with a listening device. This is why you don't trust a single article from a sensationalist website and rely on exact phrasing within it.
It went after some specific smartwatches for kids that had illegal features (specifically, covert remote listening) and reminded people that these features are illegal.
The really disturbing thing about this is how devices like this make surveillance even more normal. It's like training your own children to accept what should be an unacceptable loss of freedom and privacy.
A zero effort hack that yields photo, name, gender and date of birth, height, weight, parent phone numbers, and the phone number assigned to the watch.
And, you can enumerate all kids. Pretty much everything you need for a new app..."Kin-der".
People worry about chat rooms where you would have to social engineer any of that.
They're sold as a tool for enhancing the security of your children, but it's fairly trivial to subvert them to both not do the job they're sold for, as well as giving the attacker extra information they could otherwise have only got through proximity.
If there's a real risk (and while it might be relatively rare, real risks do exist) then the regular routine is hopefully already set up to mitigate the risk. The value to the attacker is in being able to take advantage of deviations from routine that would apart from the watch be invisible to them.
Agreed. I hate the "won't someone think of the children" attitude towards social norms, but they are for the most part utterly defenseless and deserving of some basic protection.
Anything that doesn't use encryption is very easy to hack. You just need to use a tool like Fiddler to understand the protocol. If there is lax authentication, as the article implies, this is something that an ameture can do.
It's also very easy to spoof caller ID, so this opens up children to unsolicited calls.
