Watching your kid is good
Having the whole world watch your kid is even better. More eyes, more safety.
I therefore applaud Enox for doing their part to make children safer.
Kids' smartwatch-pusher Enox, whose Safe-KID-One watch was pulled by the European Commission, has hit back against the bad PR – with some rather unusual arguments. Citing an investigation by Icelandic infosec firm Syndis, the Commission this month outlined "serious" risks with the watch, which comes with GPS, a mic and a …
Speaking more generally one of the problems in the modern world is not enough eyes out there, by which I mean other kids. Back in the day when I was a wean then a sprog aged about 8 I would take myself down the docks for a spot of fishing. There would always be other boys there, older as well and there was a rough sort of care going on. Older boys would offer advice and give tips and ask where you were going if you got up to move further along the wharf for eg.
There were lots of kids about, lots of eyes watching and we would often have three 2c pieces for the payphone or scrounging some discarded pop bottles for the deposit would soon garner them. Not quite cellphone like but anyone causing a worry would know a phone call to the cops by eyes bearers was a possibility.
Now kids on their own out and about stick out like sore thumbs and all sorts of people rush towards them and how do you know if their intentions are benign?
Back in the '90s in Outer London we would let out tweenage kids go round the end of the road on their bikes to the recycling bins, because we were NZ parents eager to give our kids responsibility and some freedom. The youngest came of her bike and just skinned a knee. Some busybody woman wouldn't let just come home and insisted her elder sister come and get us, leaving the youngest with this stranger woman. The eldest came back in a fluster 'a strange woman won't let her leave'. We hot footed it over there and she tried to tell us off for letting our kids out of our sight and we stopped her and made it plain that abducting our daughter was not on.
If there had been legions of spawn on bikes, scooters or afoot they instead of her would have gathered round, decided a skinned knee was no odds and put her back on her bike.
Was a it a Black Mirror episode I saw recently where a woman had a tracker put in her daughter's head connected to a tablet which in the end caused the teenage daughter to leave home for good after smashing the tablet. A scenario the mother had sought to avoid by wrapping her daughter in digital cotton wool. The neuroscience of it was pretty dodgy but the point was well made.
We now have 18 year olds taken to University open days by their parents. My wife who does admissions and recruitment tells of how she regularly has to tell parents that privacy legislation means she is unable to tell them their spawn's test results or anything.
Then we have the phenomenon of young people allowed away on their own for the first time and injuring and killing themselves in over risky situations because they have never been allowed to risk themselves in things like climbing trees etc so don't know how to assess risk in the way we did through bruises, skinned knees and even broken bones. The phenomenon of a classmate with a cast you could sign was a staple, worn as a badge of pride. I never managed one, perhaps because I have loose joints so tend to land floppier than most. I can also pop my shoulders out and back in again in flash of pain but no damage done. I did that a few times, x-rays and examinations showing the shoulder was back in while I knew for a fact it had popped out, I felt it.
So no casts for me but plenty of personal risk assessment.
Sure, but is this actually happening? Yes it's a problem but what's the actual immediate risk here? Is it worse to have a 0.01% chance of the kids watch being hacked or a 0.01% chance to the kid getting lost in the wild woods? Are the risks even this balanced?
Personally I think any parent would be dumb to rely on technology to maintain a kids safety but given that the parents almost always know where the kid is and the chance of the watch being hacked is quite small then this is just another bit of shouty internet junk.
Life is a risk ... get used to it.
I agree entirely. These same risks apply to every internet connected device, including every single smartphone which by my reckoning mostly all seem to : have telephony, tell the time, have a GPS etc etc.
The issue is a matter of pervs who shop the dark web for kiddie pics who will eventually create a market for hackers to sell certain kinds of services. And, don't forget nanny cams have already been hacked and exploited by pervs, so there's no reason to think these products are immune. Finally, anyone who thinks that pervs always work alone is a fool. Think ahead product makers; you are contributing to the creation of a whole new kind of dark and sick market.
"The issue is a matter of pervs who shop the dark web for kiddie pics who will eventually create a market for hackers to sell certain kinds of services."
Not even that, while not a regular feature of the news there's still plenty of "Divorced parent of child ran to another country with them".
Pervs & Paedos is the worst case (that the Daily Mail will happily sell you) but disgruntled relations are probably more of a danger
"Life is a risk ... get used to it."
"...but instead of teaching your kids some responsibility and showing some yourself, why not bravely surveil their ever step with a (ludicrously insecure) GPS watch instead...!" Oh, do go on. It's beer o'clock anyway, we could all use a good laugh...
"...but instead of teaching your kids some responsibility and showing some yourself, why not bravely surveil their ever step"
Or every other step, or perhaps just watch them bounce randomly around as they are tracked with an accuracy of ±500 meters.
They've been abducted...
They're almost home.
Abducted.
Home.
"0.01% chance of the kids watch being hacked"
Where's that statistic from? If it can be hacked then it can be hacked and should be fixed. A device that is designed for internet connectivity and tracking should be safe - even form a Data Protection point of view, let alone a moral one.
The guy in this interview comes across as someone who just doesn't care at all if their products are not secure and that security isn't important. If a parent buys this watch for their child they might give them a bit more freedom than they otherwise would. So if it is not safe and the critical functions can be changed, even for a laugh, it should not be on sale.
For instance if someone decide to find all the accounts in the local area and divert the emergency call to their mobile number. They could do it just to laugh at the child when there's an incident - pretty distressing and potentially a big safety issue. Or they could use it for more nefarious purposes and help to 'rescue' the child, even one that has been taught not to talk to strangers.
A device where they take security seriously (actually seriously), code with secure principles as a priority and any flaws are acted on as quickly as possible through a responsible disclosure program - might still have issues arise but it probably wouldn't be removed from sale by the EU
And how do you keep that chance that low?
If you want an example, you have a far bigger chance to be poisoned by food in US than in EU.
Why? Because EU stricter regulations about food safety keep that risk far lower than in countries with laxer regulations. Sure, you can wait the number of poisoned people becomes high enough before acting, or you can prevent poisoning by checking before, prevent dangerous food reaching people, and recall it as soon as it is identified.
The risk won't be evidently 0 - there will always be people trying to ignore rules, and other factors - but it will be still far lower than if rules, checks and recalls didn't exist.
Nobody is saying this kind of device should not exist - but it must exist in a safe form - to keep risk at the lowest possible level. Otherwise to save a few euros most devices will be far riskier.
but it must exist in a safe form - and the chances of that happening reliably are vanishingly small. You are far better off teaching your kids about the risks of the world and that most of the time it's easy to avoid them ... when I was a kid I would take off after breakfast and be all over the countryside until late afternoon ... than I'd return home and wait for my mum to walk me across the main road. My parents never knew where I was - on vacation I'd climb cliffs, run parkour-like in the 60's over all sorts of places - it scares me now to know what I did but as a kid I didn't care, I just knew not to break a leg when the tide was coming in. Kids are a lot smarter than adults.
"Yes it's a problem but what's the actual immediate risk here?"
Who knows? But if it were my child, I would absolutely not let them wear something like this. Perhaps the risk is low, but it still greatly exceeds the benefit.
OK, but 99%? 90%? at least, say, 85%? Something only very skilled, and very determinate hackers can break, with a lot of effort?
This guy looks to deliver something with about 1% security, if not less. And the reasoning "Achieving 100% security is impossible, so no security is the same thing" is really fallacious.
Start to fix you issues, and show the system is secure enough, then complain...
"I think that if the vulnerability was in something that allowed to find expensive cars and drive away with them easily, much more people would be much more worried than about children..."
And yet you can find plenty of articles here pointing out that it is, in fact, possible to find and drive away with expensive cars very easily, and no-one either selling or buying them seems to care in the slightest.
Between "could be hacked only by determined skilled hackers with enough time and resources to find a a previously unknown vulnerability" and "can be easily hacked by a casual script kiddie" there is a big difference.
If you can't understand it, you should stay away from any kind of software development.
Between "could be hacked only by determined skilled hackers with enough time and resources to find a a previously unknown vulnerability" and "can be easily hacked by a casual script kiddie" there is a big difference.
And all too often the big difference is only a matter of months - if that.
I got this thing I'm selling. Its my living you know. And it does the thing it says. So stop picking on me!!!! Its not that big a problem really!!! I've never met someone that could break into my kids watch thing!!! Stop picking on me!!!! I need to make a living here. Stop picking on me!!!!
/sarc /whine
In other words, basically, "I think its okay, what the hell is all this shit about standards? Why should I have to follow some sort of standard. I'm just trying to make a buck here."
I'll bet he's read atlas shrugged. Twice. And made notes.
The guy must be pitching at naive parents who don't understand that a "Smart Watch" shouldn't have what their blurb boasts is a "Traditional Analogue Watch Face to Hide away the High Tech Construction".
It also says you can track almost to the meter, which is somewhat at odds with his 500 meter range defence.
Plus any kid can leave the tracker at a friend's house if they're going somewhere they've been told not to.
Still, I'm sure their Safe Kid Two is much more secure, it has a pedometer.
This post has been deleted by its author
Coming from a tiny, ocean-surrounded country where everybody knows everybody just about
It was an Icelandic security firm that found the security flaws.
The firm that manufactures the watch is German. Germany has a population of 85 million and is part of the Shengen agreement so has no border controls with most of the the rest of the EU. That's maybe 400 million people.
But anyway, to say everyone in Iceland knows everyone else is ludicrous. Iceland has a population of 350 thousand. Do you know that many people? How many people do you think you know well enough to trust with your kids? Fewer than a hundred I'd have thought. That's less than the population of many streets.
Try checking things before posting - you might avoid coming across as a prat.
According to their marketing it's manufactured in China to German standards, even seems to be a selling point. The server that holds all tracking data is housed in Germany. I hope the security is better than the watch.
I don't even know all the people on my street, let alone the closest 350,000.
"Icelandic banks are totally reliable" - they are when they are run by women, it's the banks run by macho men that crashed and burned ... maybe we'd be better off with a watch designed by women. Let's face it, us guys are doing a real crappy job at technology - just look around us.
And when Icelandic banks do fail, they're held to account.
When the banks fail in the UK, they get rewarded with hundreds of billions of pounds of taxpayers' money and the upper management and shareholders laugh all the way to the, erm, bank.
That money has to be borrowed (see 'national debt') and guess who provides the loans?
The VAT (purchase tax) rate was 'temporarily' increased in the UK during the last debacle to help to pay for all this and hasn't gone back down since. Guess who gets hit hardest by purchase taxes? It sure ain't the bank executives.
Because times are hard, all workers get their wages frozen. "Sorry, we can't afford to give anyone a pay rise this year. Don't be silly. Of course that doesn't apply to the upper management. They're still going to get a 20% rise for doing such a good job this year."
It certainly did, with the result that it is now a post apocalyptic wasteland, it's population homeless and starving, killing each other for the chance to lick the nourishment from a discarded fishskin..
Oh, hang on, that might not be entirely the case.
"It certainly did, with the result that it is now a post apocalyptic wasteland, it's population homeless and starving, killing each other for the chance to lick the nourishment from a discarded fishskin..
Oh, hang on, that might not be entirely the case."
No, what they did was tell all business customers in foreign countries (i.e., many UK Councils) to piss off. Having lost all their reserves, many such councils are now mostly bankrupt.
So yay.
There were some early mobile phone tower assisted GPS systems which lead to what is now called Augmented or A-GPS which use a cheap GPS receiver that sends the data to the tower for processing. The early versions of that were only good for about 500m at best. A real full Navstar GPS receiver must know its time down to 90 ns to even get a fix which means its knows its position to about 90 feet (90 light nano-seconds or about 30 meters) discounting signal reflections and atmospheric delays. GLONASS, Galileo and BeiDou are similar.
You're missing the point. The accuracy of the GPS function provided is secondary...
The PoS mouthpiece for this PoS product claimed that the GPS accuracy of the product was +/-500m and that that was well-known to those buying it, so they were not buying it for accurately locating their kids, and hence the bad guys could not either. However, the product's webpage at the company's official site https://www.enoxgroup.de/our-products/smartwatches/safe-kid-one/ and the "product sheet" for the watch, linked from that page both say "Through downloading of an APP in your Smartphone (QR Code included in the User Manual), you can locate and follow your Kid – almost to the Meter – on a GPS Map in your Smartphone". So, he is lying about the claimed accuracy of the GPS and what parents/purchasers presumably thought about their ability to "pinpoint" their kids' locations from using the watch and app. These claims speak to the veracity and credibility of the company, which is obviously deeply questionable. It is, at a minimum, obvious that Enox is a compamy that makes/markets "high tech" products (actually, probably mostly re-badges and markets other people's products, right?) without much clue about broader issues of such 'high tech" than how to maximize the profit it makes...
So not only is he selling a piece of shit GPS, he's also selling one that is not secure ? And it's not a problem because you can't have 100% security ?
I'd really like to ask him if he has a lock on his door and, if so, why.
Not going up in my esteem is the least I can say.
"Instead, he pointed to a one-page assessment from the German federal agency Bundesnetzagentur that the watch didn't violate that country’s Telecommunications Act."
I once had to investigate a case where a home-made roof ladder broke. I'm sure it didn't violate any country's Telecommunications Act but unfortunately that didn't help. The bloke who fell off the ladder was killed.
Ting is, he's right. Although now the media has a hold of this, technical peados may at this very moment be attempting to hack said watches to follow children, instead of actually just.... following children. Security by obscurity used to be a ting, until we published everydamnting.
Perhaps this is a good ting. Instead of just coming along in your white van and lifting a kid into the back of it as normal, now we should be on the lookout for watch hackers. New set of rules for schools to follow. Ignore white van, but watch out for.... I seen a guy with an IoT bear the other day looking shifty, roll out the stingers and set a curfew.
..wannabe child molesters of whatever flavour had to track down their details by direct observation, or trawling social media.
Are the details of these devices in a single database, or searchable in some fashion that allows the crim to say, "hmmm, I feel like a 7 year old tonight, lets take a look through Kid-E-Traks GPS records" ?
I mean, apart from the abysmal device security, does it also (fail to) contain 'personally identifiable information' that makes life more convenient for such predators?
If its only another shitty leaky IoT ripoff device, then all the OMG THINK OF THE CHILDREN !!!! is misplaced sensationalism, and its not particularly worse than any of the others, however, if there is an access-able database of users, or a specific range of addresses or mobile numbers associated with the devices, and child predators can use this knowledge to improve their predations... THEN the threat level is actually meaningful.
Yes, there is such a database. They market it as being located in Germany.
Given their general attitude to security, one assumes that database is live replicated all over PaedoNet and searchable by anyone who has enough PaedoCoin.
You'd think someone would vaguely skim GDPR and security best practice before launching a device that has "I Am I Target" painted on it in such large red letters, but Internet Of Insecure Shite does seem to attract this kind of insanity.
He should think himself lucky that his product was merely banned, rather then the other legal (and extra-legal) responses one can think of.