SmartWatch for Children - Not so Smart

In 2016, I decided to try a watch for my kid with GPS and the ability to call pre-defined numbers. One fateful evening, after about a year of usage, I called their support and asked them to locate the watch. I was beyond surprised when they could pinpoint within meters of where the watch might be. Probing further, I realized they have their servers somewhere in the underbelly of Andheri (East), Bombay. I know those places; those were the places I started my professional career, and I remember spending countless evenings sipping tea from the local street vendors there. That was when I decided never to trust these services and stopped using them.

These watches are made in China, resold, and serviced by local Indian companies.

Of course, your cell phone service providers know your exact locations while you use a phone. Your smartphone Operating System (iOS, Android) providers and manufacturers also know almost all the details of what you have on your phone—from locations to your browsing habits to the places you go out to eat, your office, and your home.

Fortunately, phone service providers need strict legal orders from authorities to hand over your data to anyone asking for it. Next, your Operating System providers are primarily incentivized NOT to share your details and need almost similar legal orders to hand over the data to any third-party entity. Let’s assume, in good faith, that these entities (the phone service providers, the phone operating systems, and the phone manufacturers) are the better of the worst-case scenarios. There are many stories, anecdotes, and conspiracy theories about them, too, but let’s leave that for another day and discussion.

That leaves third-party companies selling Smartwatches, especially for kids, that track their every location, listen to the talks, and record everything. By installing their apps, wearing the watch, and “agreeing” to their Terms of Service and Privacy Policy, you gave everything away—bypassing any security sandbox your phone’s operating system might impose on such apps.

A dystopian future where AI shepherds children

AI

We are seeing AI-enabled scams a lot more these days. AI voices that can mimic anyone are at the disposal of scammers.

These are hypothetical and bare-minimal incidents that can and might happen. A lot worse can come out of this lethargic and insecure method of strapping a digital tether to your kids with a device that can pinpoint their location within meters, listen to their voices every second, and track their whereabouts.

Smartwatches with Call/GPS Features

Children’s smartwatches are often marketed as a way for parents to stay connected with their children and track their locations for safety reasons. Core functionalities commonly include:

Most companies selling these Smartwatches and the associated services are ill-equipped, lack resources, and are not keen on extending their budget for the appropriate security measures.

Insecure Communication Channels

Many children’s smartwatches rely on mobile apps to communicate location, messages, and voice data to a backend server.

The Norwegian Consumer Council’s 2017 “WatchOut” report highlighted insecure communication channels (PDF) in several popular kids’ smartwatches. One watch, when transmitting location coordinates, did not use robust SSL/TLS, making the data vulnerable to interception.

Authentication and Authorization

Smartwatches and their companion apps often suffer from inadequate authentication checks.

Security researchers at Pen Test Partners discovered multiple watches (including some generic models sold under different brand names) that allowed hackers to take over user accounts via poorly implemented password reset functions.

GPS Spoofing or Replay Attacks

As these smartwatches’ GPS data are often transmitted without strong encryption or integrity checks, adversaries can:

In the Forbrukerrådet (Norwegian Consumer Council) tests, they found that an attacker could manipulate location data and effectively “move” a child’s reported location to another place by sending crafted requests to the backend.

Vulnerable Companion Apps

The smartphone apps that parents use to track and communicate with their children often have:

If a phone is compromised or the app developer’s servers are breached, these vulnerabilities can lead to unauthorized access and data exfiltration.

Privacy

Many children’s smartwatch vendors do not clearly outline:

In some instances, families and regulators have found that data collected via children’s watches was stored in cloud servers in foreign jurisdictions with lax data protections, raising compliance questions under GDPR (in the EU) or COPPA (in the US).

India

India has a bigger problem with a lack of checks and balances regarding security and privacy, which extends to enforcement. The burgeoning rise of scams powered by technologies, including AI-enabled ones, is rampant with no immediate respite in sight. India does not have a dedicated child online privacy law akin to the Children’s Online Privacy Protection Act (COPPA) in the U.S. or the strict requirements under the European Union’s GDPR (especially its child-specific provisions).

Alternatives

When parents shop for a children’s smartwatch, they often look for a balance between connection (e.g., the ability to call or message their child) and safety (e.g., location tracking). Unfortunately, many kid-focused smartwatches can introduce significant privacy and security risks—especially cheaper models with insufficient data protection.

Here are a few alternative approaches to help parents stay connected and ensure a child’s well-being without relying on a typical kids’ smartwatch.

Of course, the best is not to tether your kids to a digital lease. Ultimately, the best choice depends on your child’s age, maturity, and actual safety needs. For many families, alternatives like a simple phone, a well-managed family sharing plan, or a basic GPS tracker can offer peace of mind without the heightened data and security risks that plague many kids’ smartwatches.


References