A popular smartwatch designed exclusively for children features an undocumented back door that allows someone to remotely take camera photos, eavesdrop on voice calls and track locations in real time, a researcher said.
The X4 smartwatch is marketed by Xplora, a Norway-based retailer of children̵
But that’s not all
It turns out that the X4 contains something else: a rear door that remained undetected until some impressive digital broadcast. The backdoor is activated by sending an encrypted text message. Harrison Sand, a researcher with Norwegian security company Mnemonic, said there were commands to secretly track the clock’s real-time location, take a snapshot and send it to an Xplora server, and make a phone call that transmits all sounds within on the ears.
Sand also found that 19 of the applications pre-installed on the watch were developed by Qihoo 360, a security company and application maker based in China. The Qihoo 360 subsidiary, 360 Kids Guard, also co-designed the X4 with Xplora and manufactured watch hardware.
“I wouldn’t want that kind of functionality in a device made by a company like this,” Sand said, referring to the back door and Qihoo 360.
In June, the Qihoo 360 was included in the US Department of Commerce’s sanctions list. Justification: Relations with the Chinese government have made the company likely to engage in “activities contrary to the interests of national security or US foreign policy.” Qihoo 360 declined to comment on this post.
Patch on the way
There is an undocumented back door in the watch with some spy hack data. At the same time, this particular rear door has limited applicability. To take advantage of the features, someone will need to know both the phone number assigned to the watch (it has a SIM card slot from a mobile phone operator) and the unique encryption key included in each device.
In a statement, Xplora said obtaining a key and phone number for a watch would be difficult. The company also said that even if the backdoor was activated, obtaining collected data would also be difficult. The statement read:
We want to thank you for drawing our attention to a potential risk. Mnemonic does not provide any information other than that which sent you the report. We take very seriously any potential security vulnerabilities.
It is important to note that the scenario created by the researchers requires physical access to the X4 clock and specialized tools to provide the key to encrypt the clock. It also requires the private phone number of the watch. The phone number for each Xplora watch is determined when activated by the parent media, so no one involved in the production process will have access to it to duplicate the scenario created by the researchers.
As the researchers found out, even if someone with physical access to the watch and the ability to send encrypted SMS activates this potential drawback, the snapshot photo is uploaded only to Xplora’s server in Germany and is not available to third parties. The server is located in a highly secure environment of Amazon Web Services.
Only two Xplora employees have access to the secure database, where customer information is stored, and all access to this database is tracked and registered.
This problem, which the testers have identified, is based on a remote snapshot feature included in the original internal prototype clocks for a potential feature that can be activated by parents after a child presses an SOS emergency button. We removed the functionality for all commercial models due to privacy concerns. The researcher found that part of the code was not completely eliminated by the firmware.
After we received the signal, we developed a patch for Xplora 4, which is not available for sale in the United States, to deal with the problem and will push it out before 8:00 am on October 9 to October 9. We conducted an extensive audit since we were notified and found no evidence of the lack of security used outside the mnemonic tests.
The spokesman said the company has so far sold about 100,000 X4 smartwatches. The company is in the process of launching the X5. It is not yet clear if it contains similar functionality on the rear door.
Sand opened the back door through impressive reverse engineering. It started with a modified USB cable that soldered the pins on the back of the watch. Using an interface to update the device’s firmware, he was able to download the existing firmware off the clock. This allowed him to check the inside of the watch, including the applications and other various code packages that were installed.
One prominent package was titled “Permanent Connection Service.” Launches immediately after turning on the device and iterates through all installed applications. While querying for each application, it builds a list of intentions – or message frames – that it can call to communicate with each application.
Sand’s suspicions were further aroused when he found intentions with the following names:
After further consideration, Sand realized that the intentions were activated using SMS text messages encrypted with the hard key. The system logs showed him that the key was stored on a flash chip, so he discarded the contents and received it – “# hml; Fy / sQ9z5MDI = $ “(quotes not included). Reverse engineering also allowed the researcher to understand the syntax needed to activate the remote image feature.
“Sending an SMS caused a photo to be taken on the watch, and it was immediately uploaded to the Xplora server,” Sand wrote. “There was no indication on the watch that a photo had been taken. The screen remains off at all times. “
Sand said he has not activated the wiretapping or spot reporting features, but with extra time, he said, he is confident there may be.
As noted by both Sand and Xplora, operation of this rear door would be difficult, as it requires knowledge of both the unique factory-set encryption key and the phone number assigned to the watch. For this reason, there is no reason for people who have a vulnerable device to panic.
However, it is not beyond the scope of the possibility that the key can be obtained from someone associated with the manufacturer. And while phone numbers aren’t usually published, they’re not exactly private either.
The backdoor highlights the types of risks posed by the growing number of everyday devices running firmware that cannot be verified independently without the types of heroic measures used by Sand. Although the chances of this particular back door being used are low, people who own an X4 would do well to ensure that their device installs the patch as soon as possible.