A popular smartwatch designed exclusively for children contains an undocumented backdoor that makes it possible for someone to remotely capture camera snapshots, wiretap voice calls, and track locations in real time, a researcher said. The X4 smartwatch is marketed by Xplora, a Norway-based seller of children’s watches. The device, which sells for about $200, runs on Android and offers a range of capabilities, including the ability to make and receive voice calls to parent-approved numbers and to send an SOS broadcast that alerts emergency contacts to the location of the watch. A separate app that runs on the smartphones of parents allows them to control how the watches are used and receive warnings when a child has strayed beyond a present geographic boundary. # But that’s not all It turns out that the X4 contains something else: a backdoor that went undiscovered until some impressive digital sleuthing. The backdoor is activated by sending an encrypted text message. Harrison Sand and Erlend Leiknes, researchers at Norwegian security company Mnemonic, said that commands exist for surreptitiously reporting the watch’s real-time location, taking a snapshot and sending it to an Xplora server, and making a phone call that transmits all sounds within earshot. Sand and Leiknes also found that 19 of the apps that come pre-installed on the watch are developed by Qihoo 360, a security company and app maker located in China. A Qihoo 360 subsidiary, 360 Kids Guard, also jointly designed the X4 with Xplora and manufactures the watch hardware. “I wouldn't want that kind of functionality in a device produced by a company like that,” Sand said, referring to the backdoor and Qihoo 360. In June, Qihoo 360 was placed on a US Commerce Department sanctions list. The rationale: ties to the Chinese government made the company likely to engage in “activities contrary to the national security or foreign policy interests of the United States.” Qihoo 360 declined to comment for this post. [...] As the researchers made clear, even if someone with physical access to the watch and the skill to send an encrypted SMS activates this potential flaw, the snapshot photo is only uploaded to Xplora’s server in Germany and is not accessible to third parties. The server is located in a highly-secure Amazon Web Services environment. Continua su https://arstechnica.com/information-technology/2020/10/a-watch-designed-excl... L'hack dello smartwatch è descritto in modo più chiaro qui https://www.mnemonic.no/blog/exposing-backdoor-consumer-products E' triste che lo si definisca "eroico", mentre si tratta semplicemente di un lavoro ben fatto. Domanda per i giuristi in lista: in questo caso, ha senso parlare di presunzione di conformità ai requisiti del marchio CE? Non c'è proprio nessun ente preposto a verificare la sicurezza dei prodotti che entrano o che vengono prodotti in Europa? Giacomo