A Norwegian engineer discovered a major potential security breach in the Xplora X4 children’s smartwatch, a device created in Norway. Harrison Sand, a researcher at Mnemonic, found a backdoor that allows a third-party user to remotely gain access to the wearer’s real-time location, make a phone call and take a snapshot destined for an internal server. Sand also found 19 of the X4’s pre-installed apps are developed by Qihoo 360, a Chinese app maker on the U.S. Commerce Department sanctions list for engaging in “activities contrary to the national security or foreign policy interests of the United States.” A second Chinese hardware firm and Qihoo 360 subsidiary, 360 Kids Guard, also jointly designed the X4, which is currently unavailable for purchase in the U.S., with Xplora.
The backdoor would require knowing the watch’s SIM card and the device’s specific encryption key, limiting its ability to be used, although Sand expressed his own personal reservations. “I wouldn’t want that kind of functionality in a device produced by a company like that,” Sand said. In response, Xplora pledged to patch the security hole.