Undocumented back door that covertly takes snapshots of the children’s smartwatch

A popular smartwatch made exclusively for kids includes an undocumented back door that allows someone to remotely capture camera snaps, listen to voice calls, and track locations in real time, a researcher said.

The X4 Smartwatch is marketed by Xplora, a Norwegian seller of children’s watches. The device, which sells for around $ 200, runs on Android and has a number of features including the ability to make and receive voice calls to parent-approved numbers, as well as send an SOS broadcast showing emergency contacts to the Location of the watch notified. A separate app that runs on parents’ smartphones allows them to control the use of the watches and receive alerts when a child has stepped beyond a current geographic limit.

But that’s not all

It turns out that the X4 also contains something else: a back door that went undetected until some formidable digital investigation. The back door is activated by sending an encrypted text message. Harrison Sand, a researcher at Norwegian security company Mnemonic, said commands exist to secretly report the real-time location of the watch, take a snapshot, send it to an Xplora server, and make a call that broadcasts all sounds within earshot .

Sand also found that 19 of the apps preloaded on the watch were developed by Qihoo 360, a security company and app maker in China. A Qihoo 360 subsidiary, 360 Kids Guard, designed the X4 together with Xplora and manufactures the watch hardware.

“I wouldn’t want that kind of functionality in a device made by a company like this,” Sand said, referring to the back door and Qihoo 360.

In June, Qihoo 360 was placed on a US Department of Commerce sanctions list. The rationale: ties with the Chinese government made it likely that the company would “engage in activities that are contrary to the national security or foreign policy interests of the United States.” Qihoo 360 declined to comment on this post.

Patch on the way

The existence of an undocumented back door in a watch from a country with known records of espionage hacks is worrying. At the same time, this particular back door is of limited use. In order to use the functions, someone needs to know both the phone number assigned to the watch (it has a slot for a SIM card from a mobile operator) and the unique encryption key that is hardwired into each device.

In a statement, Xplora said it would be difficult to get both the key and phone number for a particular watch. The company also said that collected data would be difficult to obtain even with the backdoor activated. The statement read:

We would like to thank you for alerting us to a potential risk. Mnemonic does not provide any information beyond the report. We take potential security vulnerabilities very seriously.

It is important to note that the scenario that the researchers created requires physical access to the X4 clock and special tools to secure the clock’s encryption key. It also requires the watch’s private phone number. The phone number for each Xplora watch is set when it is activated by parents with a carrier so that no one involved in the manufacturing process has access to it to duplicate the scenario the researchers created.

As the researchers clarified, the snapshot photo is only uploaded to the Xplora server in Germany and is not accessible to third parties, even if someone with physical access to the watch and the ability to send an encrypted SMS activates this potential bug. The server is located in a highly secure Amazon Web Services environment.

Only two Xplora employees have access to the secure database, which stores customer information and all access to this database is tracked and logged.

This problem identified by the testers was based on a remote snapshot feature included in the first internal prototype clocks for a potential feature that could be activated by the parents after a child pressed an SOS emergency button. We have removed the functionality for all commercial models for privacy reasons. The researcher noted that some of the code was not completely removed from the firmware.

Since the notification, we have developed a patch for the Xplora 4 that is not available for sale in the US to address the issue. It will be released on October 9 before 8:00 a.m.CET. Since then we have conducted a comprehensive audit and have been notified and found no evidence that the vulnerability was used outside of mnemonic testing.

The spokesman said the company has sold about 100,000 X4 smartwatches to date. The company is about to introduce the X5. It is not yet clear if it contains similar backdoor features.

Heroic Measures

Sand discovered the back door through some impressive reverse engineering. He started with a modified USB cable that he soldered to pins on the back of the watch. He was able to download the existing firmware from the clock via an interface for updating the device firmware. This enabled him to check the insides of the watch, including the apps and other various packages of code that were installed.

An outstanding package was entitled “Persistent Connection Service”. It starts as soon as the device is switched on and runs through all installed applications. Querying each application creates a list of intent or messaging frameworks that can be invoked to communicate with each app.

Sand’s suspicions were further aroused when he found intentions with the following names:

• WIRETAP_INCOMING
• WIRETAP_BY_CALL_BACK
• COMMAND_LOG_UPLOAD
• REMOTE_SNAPSHOT
• SEND_SMS_LOCATION

After a long rummage, Sand found that the intent was activated using SMS text messages encrypted with the hardwired key. System logs showed him that the key was stored on a flash chip, so he dumped the contents and received it – “# hml; Fy / sQ9z5MDI = $ “(quotation marks not included). Reverse engineering also allowed the researcher to determine the syntax required to enable the remote snapshot feature.

“By sending the SMS, a picture was taken on the watch and immediately uploaded to the Xplora server,” Sand wrote. “There was no indication on the watch that a photo was taken. The screen stayed off the whole time. ”

Sand said he hadn’t turned on the wiretapping or location reporting features, but with extra time he felt confident he could do it.

As both Sand and Xplora note, this backdoor would be difficult to exploit because it requires knowing both the unique factory-set encryption key and the phone number assigned to the watch. Because of this, there is no reason for people who own a vulnerable device to panic.

However, it is not impossible for the key to be obtained from someone with ties to the manufacturer. And while phone numbers aren’t usually published, they’re not exactly private either.

The back door highlights the kind of risks posed by the increasing number of everyday devices with firmware that cannot be independently verified without the heroic measures employed by Sand. While there is little chance that this particular backdoor will be used, people who own an X4 should make sure their device installs the patch as soon as possible.