A location-tracking smartwatch worn by thousands of children has proven relatively easy to hack.
A security researcher found the devices neither encrypted the data they used nor secured each child's account.
As a result, he said, he could track children's movements, surreptitiously listen in to their activities and make spoof calls to the watches that appeared to be from parents.
Experts say the issues are so severe that the product should be discarded.
Both the BBC and the researcher involved tried to contact the makers of the MiSafes Kid's Watcher Plus to alert them to the problem but received no reply.
Likewise, a China-based company listed as the product's supplier did not respond to requests.
'Simple hack'
The MiSafes watch was first released in 2015.
It uses a global positioning system (GPS) sensor and a 2G mobile data connection to let parents see where their child is, via a smartphone app.
MiSafes targeted the watch at children as young as three
In addition, parents can create a "safe zone" and receive an alert if the child leaves the area.
The adult can also listen in to what their offspring is doing at any time and trigger two-way calls.
Pen Test Partner's Ken Munro and Alan Monie learned of the product's existence when a friend bought one for his son earlier this year.
Out of curiosity, they probed its security measures and found that easy-to-find PC software could be used to mimic the app's communications.
This software could be used to change the assigned ID number, which was all it took to get access to others' accounts.
This made it possible to see personal information used to register the product, including:
- a photo of the child
- their name, gender and date of birth
- their height and weight
- the parents' phone numbers
- the phone number assigned to the watch's Sim card
"It's probably the simplest hack we have ever seen," he told the BBC.
"I wish it was more complicated. It isn't."
Rather than compromise other people's watches, the researchers bought several more units to test.
The security researchers were able to fool the watch into showing a call was from a parent
With these, they found it was possible to:
- trigger the remote listening facility of someone else's watch, with the only warning being that a brief "busy" message appeared before its screen returned to blank
- track the wearer's current and past locations
- alter the safe zone facility so that alerts were triggered by a child's approach rather than their departure
Pen Test Partners also learned it was possible to bypass a feature supposed to limit the watch to accepting calls from only authorised parties.
The researchers did this by using a online "prank call" service that fools receiving devices into showing another person's caller ID number.
The watches allow parents to listen to their children "any time" as well as to make phone calls to the device
"Once a hacker has the parent's number, they could spoof a call to appear to come from it and the child would now think it's their mum or dad dialling," said Mr Munro.
"So they could leave a voice message or speak to the child to convince them to leave their house and go to a convenient location."
Using a different tool, Mr Munro said his team were able to see that about 14,000 MiSafes were still in active use.
Sales ban
The Norwegian Consumer Council highlighted other cases of child-targeted smartwatches with security flaws last year.
It said the MiSafes products appeared to be "even more problematic" than the examples it had flagged.
"This is another example of unsecure products that should never have reached the market," said Gro Mette Moen, the watchdog's acting director of digital services.
"Our advice is to refrain from buying these smartwatches until the sellers can prove that their features and security standards are satisfactory."
In the UK, Amazon used to sell the watches but has not had stock for some time.
The BBC found three listings for the watches on eBay earlier this week but the online marketplace said it had since removed them on the grounds of an existing ban on equipment that could be used to spy on people's activities without their knowledge.
"We don't allow the sale of these products on our marketplace," said a spokeswoman.
MiSafes previously made headlines in February when an Australian cyber-security company discovered several flaws with its Mi-Cam baby monitors.
Security concerns were previously raised about the firm's baby-monitoring cameras
SEC Consult said these meant hackers could spy on footage from owners' homes and hijack accounts.
It too was unable to get a response from the manufacturer.
Latest Stories
-
Philip Nai and friends spend time with kids of Agblezaa on Christmas eve
38 minutes -
Education is in crisis – NCPTA General Secretary
56 minutes -
Celebrating 65 years of impact: Commonwealth scholars and fellows alumni in Ghana
1 hour -
Our confidence in the law has borne fruits – Ebi Bright on SC ruling
1 hour -
Mandamus application to be heard by new High Court judge – Supreme Court rules
2 hours -
Krofuom residents attack GNFS personnel as fire destroys Trinity TV and church
2 hours -
Movie review: Peter Sedufia’s ‘One Night Guests’
3 hours -
Three dead, several injured in accident on Cape Coast-Accra highway
3 hours -
MTN donates to support two hospitals in Savannah region
3 hours -
NDC victory a call to action for agricultural and economic revitalization in Ghana – Klutse Kudomor
3 hours -
Adidome Chief alarmed over rising teenage pregnancy in Central Tongu, calls for collective stakeholder action
3 hours -
MTN Foundation celebrates Christmas with new mothers across Ghana
3 hours -
MTN Ghana presents hampers to 60 Christmas babies in Central region
4 hours -
Re-collation: Supreme Court quashes results in Tema Central, Ablekuma North, Techiman South, Okaikwei Central
4 hours -
NDC accuses trial judge of bias over order to re-collate outstanding parliamentary results
5 hours