back to article Backdoorer the Xplora: Kids' smartwatches can secretly take pics, record audio on command by encrypted texts

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic. This backdoor is not a bug, the finders insist, but a …

  1. jake Silver badge

    I believe them, don't you?

    "It is important to note that the potential flaw requires physical access to the X4 watch and the private phone number," Xplora's spokesperson said. "Even if this is activated, the only place the image would go is to Xplora’s server in Germany located in a highly-secure Amazon Web Services environment which is not accessible to third parties."

    I don't even know where to start ...

    "The spokesperson said the company has conducted an audit since it was notified of the security report and found no evidence the security flaw was being exploited."

    Well, yes. Of course. That's exactly what they would say, isn't it?

    People who spy on children are the lowest of the low.

    1. Michael Wojcik Silver badge

      Re: I believe them, don't you?

      Yes, this is a loathsome product category. Troy Hunt wrote a good exposé on the TicTocTrack last year.

  2. Dan 55 Silver badge
    Black Helicopters

    "It is important to note that the potential flaw requires physical access to the X4 watch and the private phone number,

    I just... find that hard to believe... the app can upload the phone number, the company have the keys, and Xi's your father's brother.

  3. Anonymous Coward
    Anonymous Coward

    Qihoo 360

    Qihoo 360 was banned from the Google Play store long ago for multiple violations of Google's developer rules including tricking users into installing their app by hijacking the users mobile WebView browser with fake virus warnings.

    Qihoo 360 is back doing the same thing only this time using a relatively unknown app developer out of Brazil named Psafe.

    Psafe was heavily funded by the Chinese and has been luring novice Android users into installing the "DFNDR" app with fake virus warnings every day since 2013 to the present.

    The app itself uses Avast's virus detection engine but is packed with several advertising SDK's and is now charging enormous fees to users account after a brief "trial" period.

    The app was harvesting users social media data and could access the SQLite database of WhatsApp and was known for pushing polital ads on the users device.

    I had brought the fake virus warning issues up with Avast but nothing was ever done about it other than me getting a lifetime ban from the Avast forums.

    Myself and others have also filed numerous complaints to the FTC regarding the app.

    Here is a users complaint on the Google Play store reviews from October 9th 2020:

    "DO NOT DOWNLOAD! This "antivirus" is, itself, a virus. Well, it's a companion virus to a web-based virus. I'm sure you were directed here from an ad on your web browser saying your specific phone has a virus and you MUST have this SPECIFIC antivirus to get rid of it? It's all a scam. This company MUST be sued ASAP, and all of their products MUST be removed from Google Play IMMEDIATELY. Get another antivirus for your phone. Seriously."

  4. Neil Barnes Silver badge

    to be able to obtain location imagery in the event of a kidnapping

    Maybe I'm being a bit parochial here - but just how many kidnapping events (particularly of children) are there?

    Here in the UK, barely a day goes by without the news services not running stories about another child kidnapping... it's so uncommon that when there is a case, the reporting can last for years. Which does not in any way reduce the impact on the child or its parents - but I can't help thinking that this is a classic case of perceived risk being somewhat higher than is actually the case. Why, when I was a child, sometimes my whole childhood went past without me being kidnapped.

    1. Michael Wojcik Silver badge

      Re: to be able to obtain location imagery in the event of a kidnapping

      Statistics in the US are hard to come by. Child abductions are not reported in the UCR and the DoJ's transition to the new system (NIBRS) seems to be having some problems (data for 2018 was "supposed to be available by fall of 2019" but the page still hasn't been updated).

      A best guess seems to be that parental abduction - either by the non-custodial parent, or by one parent in a shared-custody situation - happens some hundreds of thousands of times a year. Abduction by strangers appears to be in the hundreds per year. So parental kidnappings are around three orders of magnitude higher.

      Given that, it's reasonable for some parents (based on the child's custodial situation) to be concerned about a parental-kidnapping risk. It's not reasonable to take anything more than common-sense measures against the stranger-kidnapping risk; that's simply not a rational response. And with around 73-74 million children in the US, the rate even for parental abduction is low - but individual risk will depend very much on the particular situation, so the average isn't particularly meaningful.

      All that said, even for those most at risk I don't think spyware wristwatches are going to be much help.

    2. Stuart Castle Silver badge

      Re: to be able to obtain location imagery in the event of a kidnapping

      According to http://www.childabduction.org.uk/images/Police_Report_2016.pdf (Page 6), there were 1,141 cases of Child Abduction in the UK in 2014/15. Now, that is arguably 1,141 too many, but to get things in proportion, that is considerably less than 1% of either the number of children in the country and the number of crimes in the country.

      In short, the chances are that as long as you aren't in the public eye (maybe a celebrity, wealthy or a politician), your children will not be kidnapped.

      Bear in mind that if you buy any internet enabled mobile device, you are relying on the manufacturer of that device to ensure any data you put on it is safe, and bearing in mind mobile devices are often bundles of all sorts of sensors, there could be a lot of data. You can be fairly certain the likes of Apple and Samsung will work hard to block hackers. You cannot be certain that the manufacturer of a cheap device will do anything about it. Whether with Apple, Samsung or any Mobile device manufacturer, you cannot be entirely sure the company itself isn't slurping your data.

      The TLDR is that by buying a watch, you run the risk of important data (such as your location) being leaked to all sorts of people. You need to weigh that against the risk of being kidnapped.

  5. Anonymous Coward
    Anonymous Coward

    "Found no evidence"

    > found no evidence the security flaw was being exploited

    Translation: logging was disabled or we weren't storing logs (source: I've been on the other side of similar statements made by other companies)

  6. Twanky
    Flame

    Patch?

    1) The device shipped with software which could make it act as a bugging device. The hardware was sufficiently capable to support this.

    2) The device software was updated by the manufacturer to fully disable this functionality - apparently before any customer found out about it.

    3) Trust us - of course we won't update your device again without letting you know.

    4) Trust us - of course we've not introduced any new 'features' which could compromise your child's safety.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021