Cheap China Smartwatch SMA-WATCH-M2 for Kids leaks data

[German]German institute AV-TEST is currently warning of a cheap China Smartwatch (SMA Watch-M2) for kids. The watch can reveal data of the wearer to unauthorized third parties and allows children to harass.


Warnings of unsafe Chinese smartwatches for children have been issued several times in the past. Now I’ve become aware of the next case via the following tweet.

The independent test institute has issued a product warning for the Smartwatch SMA-WATCH-M2 from the Chinese manufacturer Shenzhen Smart Care Technology Ltd. (SMA). The Smartwatch SMA-WATCH-M2 can be used as a GPS tracker via SIM card. This IoT device should protect children and give parents a safe feeling. The Smartwatch for kids costs 30 US $ and is probably bought frequently. It’s offered online and is also sold from several distributers.


Smartwatch SMA-WATCH-M2 leaks user data

The manufacturer’s Smartwatch reveals the exact position data of over 5,000 children around the globe to potential attackers. It also allows the eavesdropping and manipulation of confidential conversations and other information. This is what the AV-TEST testers have found out during investigation. 


During the analysis, the researchers came across data records of the wearers of this Smartwatch and describe the daily routine of a 10-year-old girl from German city Dortmund as an example in this blog post. The engineers have been able to reconstructed this daily routines using the data and conversations recorded by the Smartwatch and stored unsecured on a Chinese server.

The private data (such as name, address, age and pictures) of over 5,000 children are stored unprotected on the server of the manufacturer of the children’s watch from Shenzen. However, the watch also sends voice messages that children exchange with adults to the service provider’s server. In addition, if a SIM card is inserted, GPS position data is also transmitted in real time. Since everything is unencrypted, the wearer of the watch can be spyed on by third parties in terms of its behaviour and data. 

The AV-TEST testers wrote that engineers from the IoT laboratory have already found comprehensive reasons against the use of tracker watches for children in comparative tests as part of the Smartwatches for Children test. But the Chinese SMA-WATCH-M2 outperforms the security failures of other manufacturers by far.

All communication between the Smartwatch and the provider’s servers is unencrypted and no authentication is required. The retrievable data reveal not only the image, name and registered address data of the owner, but also the IMEI of the watch’s modem and real-time GPS coordinates. The coordinates can be easily and accurately located and displayed using services such as Google Maps. The test engineers have found that simple brute force attacks on the unprotected Web API can be used to find out the data records of all registered users.

A config file in the app directory allows to assign any user account according to AV-TEST specifications in order to take over its available data via the Web-API. It is sufficient to enter the determined user IDs into the config file of the app. If the app is started, it logs on to the server without further authentication under the user account belonging to the ID. Thus the foreign data is easily available for third parties.

(Heat-Map for SMA-WATCH-M2, Source: AV-TEST)

AV-TEST explicitly warns against the Chinese SMA-Kinder-Smartwatch, which, according to Heatmap, seems to be widespread especially in Poland and Belgium. The case proves more than one that the masses of cheap IoT devices from Chinese production meet neither minimum standards for IT security nor for data protection.

According to AV-TEST, German distributor Pearl reacted in an exemplary manner and no longer offers the SMA Children’s Smartwatch. The Chinese manufacturer, on the other hand, did not react to the requests from AV-TEST. Other importers from Europe are likely to continue selling Smartwatch, which costs approx. 30 US $.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *