A popular smartwatch designed exclusively for children contains an undocumented backdoor that allows someone to remotely capture camera snapshots, intercept voice calls and track locations in real time, one researcher said.
The X4 smartwatch is marketed by Xplora, a Norwegian seller of children̵
But that is not all
It turns out that the X4 contains something else: a backdoor that has remained unexplored until some impressive digital investigation. The backdoor is activated by sending an encrypted text message. Harrison Sand, a researcher at the Norwegian security firm Mnemonic, said there are commands to covertly report the position of the real-time clock, take a snapshot and send it to an Xplora server, and make a phone call that broadcasts all sounds to within earshot.
Sand also found that 19 of the apps pre-installed on the watch are developed by Qihoo 360, a China-based security company and app maker. A Qihoo 360 subsidiary, 360 Kids Guard, also jointly designed the X4 with Xplora and manufactures the watch hardware.
“I wouldn’t want that kind of functionality in a device made by a company like that,” Sand said, referring to the backdoor and Qihoo 360.
In June, Qihoo 360 was placed on a US Department of Commerce sanctions list. The rationale: Ties to the Chinese government made it likely that the company would engage in “activities contrary to national security or US foreign policy interests.” Qihoo 360 declined to comment on this post.
Patch coming soon
The existence of an undocumented backdoor in a watch from a country with a known track record for espionage attacks is worrying. At the same time, this particular backdoor has limited applicability. To use the features, someone would need to know both the phone number assigned to the watch (it has a slot for a SIM card from a mobile operator) and the unique encryption key wired into each device.
In a statement, Xplora said it would be difficult to get both the key and the phone number of a particular watch. The company also said that even if the backdoor was activated, getting the collected data would also be difficult. The statement said:
We want to thank you for bringing a potential risk to our attention. Mnemonic does not provide any information other than the one that sent you the report. We take any potential security breaches very seriously.
It is important to note that the scenario created by the researchers requires physical access to the X4 clock and specialized tools to protect the clock’s encryption key. It also requires the watch’s private phone number. The phone number of each Xplora watch is determined when activated by parents with a courier, so no one involved in the production process would have access to it to duplicate the scenario created by the researchers.
As the researchers made clear, even if someone with physical access to the watch and the ability to send an encrypted SMS triggers this potential flaw, the instant photo is only uploaded to Xplora’s server in Germany and is not accessible to third parties. The server is located in a highly secure Amazon Web Services environment.
Only two Xplora employees have access to the secure database where customer information is stored and all access to that database is tracked and logged.
This problem identified by the testers was based on a remote snapshot feature included in the initial internal prototype watches for a potential feature that could be activated by parents after a child pressed an emergency SOS button. We have removed the functionality for all business models for privacy reasons. The researcher found that some of the code was not completely removed from the firmware.
Since we were notified, we have developed a patch for Xplora 4, which is not available for sale in the US, to address the issue and will remove it before 8:00 CET on October 9th. We have since conducted a thorough audit. we were notified and found no evidence of the security flaw used outside of the mnemonic test.
The spokesperson said the company has sold around 100,000 X4 smartwatches to date. The company is rolling out the X5. It’s still unclear if it contains similar backdoor functionality.
Sand discovered the backdoor through impressive reverse engineering. He started with a modified USB cable that he soldered onto the exposed pins on the back of the watch. Using a device firmware update interface, he was able to download existing firmware from the watch. This allowed him to inspect the inside of the watch, including apps and other various code packages installed.
One package that stood out was titled “Persistent Connection Service”. It starts as soon as the device is turned on and scrolls through all installed applications. As it queries each application, it creates an intent list, or messaging framework, that it can call to communicate with each app.
Sand’s suspicions were further excited when he found intent with the following names:
After further research, Sand realized that the intents were triggered using SMS text messages encrypted with the wired key. System logs showed him that the key was stored on a flash chip, so he downloaded the contents and got it – “# hml; Fy / sQ9z5MDI = $” (quotes not included). Reverse engineering also allowed the researcher to understand the syntax required to activate the remote snapshot feature.
“Sending the SMS triggered a photo to be taken on the watch, which was immediately uploaded to the Xplora server,” Sand wrote. “There was no indication on the watch that a photo had been taken. The screen was off the whole time. “
Sand said he hasn’t activated the wiretapping or location reporting features, but with more time, he said, he is confident he can.
As both Sand and Xplora note, exploiting this backdoor would be difficult, as it requires knowledge of both the unique factory-set encryption key and the phone number assigned to the watch. For this reason, there is no reason for people who own a vulnerable device to panic.
However, it is not beyond the realm of possibility that the key can be obtained by someone with ties to the manufacturer. And while phone numbers aren’t usually posted, they’re not exactly private either.
The backdoor underscores the kinds of risks posed by the growing number of daily devices running on firmware that cannot be independently inspected without the kind of heroic measures Sand employed. While the chances of this particular backdoor being used are low, people who own an X4 would do well to ensure their device installs the patch as soon as possible.