MyFirst Kids Watch Hacked. Access to Camera and Microphone

(kth.se)

36 points by jidoka4 hours ago

5 comments

  • Lyrkan22 minutes ago
    Reminded me of this recent talk from 39C3 regarding another company (Xplora) that also sells smartwatches for children: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=VRQz9EX2Tl0" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=VRQz9EX2Tl0</a>
  • jidoka4 hours ago
    Title: KTH student hacked a popular children’s smartwatch, found 17 vulnerabilities and full remote access<p>A former student at KTH Royal Institute of Technology has demonstrated how a popular children’s smartwatch can be fully compromised over the internet. In his thesis, “Ethical Hacking of a Smartwatch for Kids: A Hacker’s Playground,” Gustaf Blomqvist conducted an ethical security assessment of a widely sold kids’ smartwatch and found what he describes as severe security flaws.<p>The device, identified in Swedish media as the MyFirst Fone R1s by MyFirst, exposed an insecure network service directly to the internet. By scanning for devices, an attacker could identify watches and take complete control of them remotely.<p>According to the findings, an attacker could access the camera and microphone, eavesdrop on surroundings, read and manipulate text messages, send arbitrary messages, and potentially use the device in denial-of-service attacks. In total, 17 vulnerabilities were discovered.<p>Blomqvist also found preinstalled malicious code on the watch. The device reportedly connected periodically to a remote server and transmitted detailed information about its contents. The update mechanism for that code was itself vulnerable, making it possible to install additional malicious software.<p>Children’s smartwatches are marketed primarily as safety devices so that parents can stay in contact with their children. However, the research suggests these products may introduce serious privacy and security risks instead.<p>Blomqvist says he reported the vulnerabilities to the manufacturer and initially received instructions on where to submit the details, but after that communication stopped. Pontus Johnson, professor of cybersecurity at KTH, commented that many software-based systems remain highly vulnerable and that smaller manufacturers may lack the resources to properly address security issues.<p>The EU Cyber Resilience Act introduces mandatory cybersecurity requirements for connected products, but full enforcement will not take effect until 2027.<p>Sources: kth.se, expressen.se
  • coredev_1 hour ago
    I&#x27;m very excited for EUs CRA, very promising for the future of digital security in the EU.
  • defraudbah49 minutes ago
    which smartwatch was that?<p>the source linked in the article is dead, and I only see that AI slop comment here<p>-- MyFirst Fone R1, singapore<p>funny that it&#x27;s called my first, find my first upon your device, haha
    • pavel_lishin34 minutes ago
      <a href="https:&#x2F;&#x2F;kth.diva-portal.org&#x2F;smash&#x2F;record.jsf?pid=diva2%3A2037346&amp;dswid=5583" rel="nofollow">https:&#x2F;&#x2F;kth.diva-portal.org&#x2F;smash&#x2F;record.jsf?pid=diva2%3A203...</a><p>&gt; <i>In this thesis, welldocumented grey-box ethical hacking is conducted of the network service and firmware attack surfaces of the children’s smartwatch myFirst Fone R1s.</i>
  • fleahunter36 minutes ago
    [dead]