Xplora Watches for Kids: Chinese Spyware

Chinese smartwatches for kids: Just one of this decade’s objectively terrible ideas. A “Norwegian” company, Xplora Technologies, sells a Chinese smartwatch that’s full of Chinese software, implicitly controlled by the Chinese Communist Party.

And, wouldn’t you just know it, the software’s full of privacy-busting backdoors. Obviously, that was a dreadful mistake, and completely inadvertent—those functions should never have made it into the production firmware. How could that possibly have happened? Here’s a firmware patch.

DevOps Connect:DevSecOps @ RSAC 2022

Riiight. So that’s okay then. In today’s SB Blogwatch, we ponder plausible deniability.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Once In A Half-Lifetime.


Hey, Kids! What Time Is It?

What’s the craic? Dan Goodin gets in first—“Undocumented backdoor … found in kids’ smartwatch”:

 A popular smartwatch designed exclusively for children contains [a] backdoor that makes it possible for someone to remotely capture camera snapshots, wiretap voice calls, and track locations in real time, a researcher said. [It] is activated by sending an encrypted text message.

The apps that come pre-installed on the watch are developed by Qihoo 360 … located in China. … In June, Qihoo 360 was placed on a US Commerce Department sanctions list. The rationale: ties to the Chinese government made the company likely to engage in “activities contrary to the national security or foreign policy interests of the United States.”

There’s no reason for people who own a vulnerable device to panic. Still, it’s not beyond the realm of possibility that the key could be obtained by someone with ties to the manufacturer. [It] underscores the kinds of risks posed by the increasing number of everyday devices that run on firmware that can’t be independently inspected.

Xplora said obtaining both the key and phone number for a given watch would be difficult. The company also said that even if the backdoor was activated, obtaining any collected data would be hard, too. … Qihoo 360 declined to comment.

Naturally, Thomas Claburn cracks the obligatory Dora gag—“Backdoorer the Xplora”:

 This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. … Exploiting this security hole is essentially non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today’s gizmos.

Around 350,000 watches have been sold … in the US and Europe. … The watches are marketed as a child’s first phone, we’re told, and thus contain a SIM card.

Xplora, which maintains its own backend infrastructure on AWS in Germany for the smartwatches it distributes, said it has taken steps to address the situation that include the release of a firmware patch. … When the smartwatch was being designed, the company says, parents provided feedback indicating that they want to be able to contact their children in an emergency and to be able to obtain location imagery in the event of a kidnapping. Xplora … decided not to implement them in the commercial release due to privacy concerns.

Who discovered it? Mnemonic’s Harrison Sand and Erlend Leiknes—“Exposing covert surveillance backdoors in children’s smartwatches”:

 Children’s smartwatches have had a checkered past, to put it lightly. [Our 2017 work] revealed serious gaps in security across the market [and] resulted, among other things, in Germany banning the watches and asking consumers to destroy the devices.

The Qihoo [apps have] several … suspicious, surveillance related commands: … WIRETAP_INCOMING … WIRETAP_BY_CALL_BACK … REMOTE_EXE_CMD … REMOTE_SNAPSHOT … SEND_SMS_LOCATION. … During our tests we observed the watch communicating directly with Qihoo owned servers in China. The domains included: p.s.360.cn … sdk.s.360.cn

From an IT security perspective, the issue here is that this backdoor exists in the first place. This ability to issue wiretaps or take secret pictures over SMS is … functionality that has been created with intent.

What exactly is that intent?

Still, the trigger needs a secret encryption key, so that’s okay. Uh, no, it’s not okay, says kbg:

 Qihoo has a list of all the encryption keys and can easily get the corresponding phone number from the app. This means that all employees of Qihoo can watch and take pictures of these kids at any time and under orders from Beijing can supply these codes to the Chinese government.

Yikes. Random John Smith Guy reckons it explains a lot:

 And this, ladies and gents, is why the government is suspicious of anything more sophisticated than a Fitbit. And, in fact, Fitbits are pretty suspect too.

Qihoo who? This Anonymous Coward recognizes the name:

 Qihoo 360 was banned from the Google Play store long ago for multiple violations of Google’s developer rules, including tricking users … by hijacking the users mobile WebView browser with fake virus warnings. Qihoo 360 is back doing the same thing only this time using a relatively unknown app developer out of Brazil [that’s] heavily funded by the Chinese and has been luring novice Android users into installing [its] app with fake virus warnings every day since 2013 to the present.

The app was harvesting users social media data and could access the SQLite database of WhatsApp and was known for pushing political ads.

But why? MrL0G1C hypothesizes:

 I wouldn’t be surprised if devices with backdoors like this were being used to spy on pro-democracy Hong-Kongers.

Wait. Pause. What about the product category as a whole? aleph_nought finds it pretty distasteful:

 You keep children safe by creating safe conditions, not by putting GPS trackers and remote cameras on them. I remember spending most of my childhood summers riding around everywhere and coming home for dinner, without having to wear a parent-mandated tracking device.

Meanwhile, Bryan320 is 40 less than Qihoo 360:

 They can kiss what ever reputation they had goodbye.

And Finally:

Half-Life’s G-Man does Talking Heads

Hat tip: Andrea James

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Caleb Woods (via Unsplash)

Featured eBook
The State of Cloud Native Security 2020

The State of Cloud Native Security 2020

The first annual State of Cloud Native Security report examines the practices, tools and technologies innovative companies are using to manage cloud environments and drive cloud native development. Based on a survey of 3,000 cloud architecture, InfoSec and DevOps professionals across five countries, the report surfaces insights from a proprietary set of well-analyzed data. This ... Read More
Palo Alto Networks

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 370 posts and counting.See all posts by richi