Security Researchers Find Undisclosed Backdoor in Chinese Children’s Smartwatch

Security researchers have unveiled a backdoor functionality in smartwatches designed for children by Chinese company Qihoo 360 and sold in Europe under the Xplora brand.

One of the biggest cybersecurity threats is posed by vulnerabilities that companies unwittingly leave in their products. The Xplora smartwatch is different because the researchers found the backdoor functionality is purposely built into the smartwatch.

Chinese companies have been selling this type of watch for a long time, but Mnemonic is one of the first security companies to take a closer look at the device’s functionality. The watch comes with a GPS module and acts very much like a phone, allowing parents to quickly communicate with their children. But it turns out that the backdoor built into the device that allows parents to control the watch and its actions is available to other parties.

“To trigger the backdoor, knowledge of a secret encryption key is required,” said the researchers. “Our research leads us to believe that the functionality cannot be used without knowledge of the key. However, as the technical run-through will show, there are several parties with the necessary access, including Xplora and Qihoo 360.”

Researchers found a “Persistent Connection Service” that starts automatically at boot and iterates through all applications installed on the watch when investigating the software installed on the device. The service collects a list of possible commands, allowing remote operators to interact with the device. That includes taking snapshots with the camera.

The Mnemonic researchers stopped there with the investigation, but similar Chinese brands allow remote operators to initiate calls without the user’s knowledge. The biggest issue is that the same key used by the parents to authenticate when controlling the watch is likely available to the watch manufacturer as well.