heise PlusAbo
Anzeige

39C3: Vulnerabilities in Xplora smartwatches endangered millions of children

Researchers were able to read messages, fake locations, and take over any watch – demonstrated from the perspective of a child-eating forest witch.

listen Print view
Xplora smartwatch and smartphone in chat

(Image: Nils Rollshausen, media.ccc.de, CC BY 4.0)

4 min. read
Security
By
Contents

Nils Rollshausen from TU Darmstadt presented serious vulnerabilities in children's smartwatches from the Norwegian manufacturer Xplora at the 39th Chaos Communication Congress (39C3) in Hamburg. The talk "Watch Your Kids: Inside a Children's Smartwatch" was largely based on the work of a master's student who systematically analyzed the security architecture. The watches are sold not only in Norway but worldwide – over 1.5 million units according to their own statements. In Germany, they are offered by Telekom, among others, in bundle deals.

"We are a child-eating witch"

Rollshausen chose an unusual narrative framework: "For the purposes of this talk, we are a child-eating witch living in the forest." The witch's problem: In the past, children simply wandered to the hut, but today everyone wears GPS trackers and parents can find them. "If we don't want to starve, we'll have to do some research."

The entry point was FCC approval documents, which showed photos of a developer charger with four instead of two pins. The researchers built an adapter – and indeed, the watch registered as a USB device.

For debug mode, they asked themselves: "What's the dumbest possible solution?" Tapping the version number multiple times, as is common with Android. It worked. Then a PIN field appeared. While Rollshausen was thinking about automated attacks, the master's student went home and manually typed every four-digit combination for two hours and found the correct combination.

Static keys enable full access

Since the watch behaved like a normal Android device with debug access enabled, the researchers were able to extract manufacturer apps using standard tools. They found the core problem: authentication was based on static secrets in the firmware.

In combination with publicly available data such as timestamps and serial numbers, attackers could generate valid API keys for any watch – and thus do everything that the real watch can do.

Videos by heise

Teleport children virtually to Pyongyang

Rollshausen live demonstrated the possible consequences – still from the witch's perspective:

  • Read messages: "Very useful for communication"
  • Send fake messages: "So the children know where to find us, because they are so busy with their phones that they can't find the forest anymore"
  • Manipulate location: According to Rollshausen, this manipulation always requires two attempts. But then the "teleportation" works – the child suddenly appeared in Pyongyang, North Korea, or any other freely chosen location.
  • Reset watches remotely: "That doesn't look very interesting on screen," he admitted before the watch shut down on stage

"This is a for loop away from compromising all watches with this model. And that's a lot of watches," said Rollshausen.

Tough communication with the manufacturer

Disclosure proved difficult. The vulnerability disclosure program on the website was incorrectly linked, emails remained unanswered, at least until a week before the talk.

A firmware update in August made Rollshausen nervous: Does debug access still work? He preemptively installed his own app that directly calls the debug menu. Indeed, the PIN was invalid afterwards – "good thing we installed this app." The analysis showed: six instead of four digits, lockout after three attempts. The actual vulnerabilities remained unchanged. "They didn't even rotate the access credentials," said Rollshausen.

An October update also required only minimal adjustments to the exploits. Only shortly before the Congress did Xplora contact him directly. In a conversation on December 22nd, the company assured that an update in January 2026 would fix the causes. The disclosure program was revised, and the master's student received a "respectable" bug bounty reward.

Signal on the children's watch

As an ironic interim solution, Rollshausen showed the Signal messenger on an Xplora watch: "I had to divide all size values by ten to fit it on the screen – but technically, you can run Signal on your child's smartwatch."

The message: "We can work with manufacturers to make things safer – but we don't have to. We can also just do our own thing."

(vza)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten