Title: KTH student hacked a popular children’s smartwatch, found 17 vulnerabilities and full remote access
A former student at KTH Royal Institute of Technology has demonstrated how a popular children’s smartwatch can be fully compromised over the internet. In his thesis, “Ethical Hacking of a Smartwatch for Kids: A Hacker’s Playground,” Gustaf Blomqvist conducted an ethical security assessment of a widely sold kids’ smartwatch and found what he describes as severe security flaws.
The device, identified in Swedish media as the MyFirst Fone R1s by MyFirst, exposed an insecure network service directly to the internet. By scanning for devices, an attacker could identify watches and take complete control of them remotely.
According to the findings, an attacker could access the camera and microphone, eavesdrop on surroundings, read and manipulate text messages, send arbitrary messages, and potentially use the device in denial-of-service attacks. In total, 17 vulnerabilities were discovered.
Blomqvist also found preinstalled malicious code on the watch. The device reportedly connected periodically to a remote server and transmitted detailed information about its contents. The update mechanism for that code was itself vulnerable, making it possible to install additional malicious software.
Children’s smartwatches are marketed primarily as safety devices so that parents can stay in contact with their children. However, the research suggests these products may introduce serious privacy and security risks instead.
Blomqvist says he reported the vulnerabilities to the manufacturer and initially received instructions on where to submit the details, but after that communication stopped. Pontus Johnson, professor of cybersecurity at KTH, commented that many software-based systems remain highly vulnerable and that smaller manufacturers may lack the resources to properly address security issues.
The EU Cyber Resilience Act introduces mandatory cybersecurity requirements for connected products, but full enforcement will not take effect until 2027.
Sources: kth.se, expressen.se
pixl97 4 hours ago [-]
Yea, devices like this are commonly built as cheap as possible, and using things like software component analysis typically doesn't happen. And while I can't say about this company, I've worked with other companies that contract/subcontract out building the software for devices like this to the point there is little to no internal software security culture at the parent company capable of identifying potential problems in said software. This is further exacerbated the the previously mentioned 'as cheaply as possible groups' quite often having poor control over their own employees and intentional hacks/data siphons being bundled with the device.
I've seen larger firms that have come to own some software like this from buyouts and on the first analysis they'll find hundreds of shockingly easy exploits like RCE's in them.
Along with this I've seen the number of software vulns reported by closed source software is no where close to what they find and fix silently at a huge number of companies.
throwa356262 5 hours ago [-]
Love how they are closing with the CRA reference
perching_aix 4 hours ago [-]
I keep reading about how IoT / wearables / smart home devices are routinely both vulnerable and exploited, if not even come with malware preinstalled, so I was curious to finally go through a primary source like this.
After skimming through the attacks performed in this research, and checking every mention of the word "internet", all I got was a section with a hypothetical scenario where the watch has a publicly reachable IPv4 address. Suffice to say, that is really quite unlikely, certainly in my experience at least.
It did also talk about bundled malware, so I guess that's bad enough, but is all IoT research like this? Always sounded to me like you kinda need to already have a foot in the door for these, and this paper didn't dispel that notion for me at all.
tlb 55 minutes ago [-]
Many of the great hacks have involved breaking through 2 layers of supposed security. You break into the 3D printer, which lets you send packets on the local network. Then you use that to break into the exercise bike, which has a camera because it's based on a generic tablet.
Either vendor might see the flaw as low-severity. So what if someone can send packets? So what if someone already on the local network can hack the camera? But combine them and you're pwned.
pixl97 4 hours ago [-]
"You're safe as long as every device on the network you're on is safe" isn't safe.
In theory I should be able to take a modern browser/device over a completely compromised router and either be safe, or have my device tell me "holy shit, something is wrong".
The days of local trust should be long gone by now.
perching_aix 3 hours ago [-]
Sure, just super not what I think of when I read the headlines. I read the headlines and I expect the things to be on Shodan.
e12e 12 minutes ago [-]
> the watch has a publicly reachable IPv4 address
Attacker reachable, presumably? Like from a hacked cable modem or wifi router?
parliament32 3 hours ago [-]
> a hypothetical scenario where the watch has a publicly reachable IPv4 address
Or one of your other IoT / smart home devices / malware on your PC is doing local network reconnaissance? Connecting this device to a public wifi? Or just a bad neighbour who hijacks your SSID? This smells of "I'm secure because I'm behind a NAT" which conveniently ignores the couple dozen other paths an adversary could take.
perching_aix 31 minutes ago [-]
I can materialize that smell for you, you're indeed more secure because you're behind NAT. Admitting this does not necessarily entail:
- suggesting that it's a good security solution
- suggesting that it's a security solution to begin with
- suggesting that it somehow prevents all avenues of remote exploitation
What it does do is make these stories sound a lot less dramatic. Because no, John Diddler is not going to be able to just hop on and get into your child's smartwatch to spy on them from the comfort of their home on the other side of the world at a whim, unlike these headlines and articles suggest at a glance. Not through the documented exploitation methods alone anyways, unless my skim reading didn't do the paper justice.
Remaining remote exploration avenues do include however:
- the vendor getting compromised, and through it the devices pulling in a malicious payload, making them compromised (I guess this kinda either did happen or was simulated in the paper, but this is indirect and kind of benign anyways; you implicitly trust the vendor every time you apply a software update since it's closed source)
- the vendor being a massive (criminal?) doofus and just straight up providing a public or semi-public proxy endpoint, with zero or negligent auth, through which you can on-demand enumerate and reach all the devices (this is primarily the avenue I was expecting, as there was a car manufacturer I believe who did exactly this)
- peer to peer networking shenanigans: not sure what's possible there, can't imagine there not being any skeletons in the closet, would have been excited to learn more
List not guaranteed complete. But this is the kinda stuff I'd be expecting when I see these headlines.
groby_b 3 hours ago [-]
Sure. Or you might step out the door and a fridge falls on you. Equally likely.
Yes, it's an exploit. It should be fixed. But the endless hyperventilating over fringe exploits mostly has the effect that people now ignore all security conversations.
nickthenerd 3 hours ago [-]
The source site/paper won't load for me at this time, but if the device has a cellular modem in it for network connectivity, it will 100% be assigned an IPv4 address from the carrier. Unless this device is using an APN at the carrier level, or is using a SIM provider that provides some additional security.
nandomrumber 3 hours ago [-]
Sure, but that’s increasingly likely to be a private IPv4 address as a result of:
Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of network address translation (NAT) used by Internet service providers (ISPs) in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end users. This essentially repeats the traditional customer-premises NAT function at the ISP level.
Having said that, NAT isn’t a firewall.
wnevets 3 hours ago [-]
> Suffice to say, that is really quite unlikely, certainly in my experience at least.
Why is that? Are the cellular carriers blocking access?
perching_aix 45 minutes ago [-]
Because just like all other types of ISPs, they usually put their customers behind cgNAT.
craftkiller 18 minutes ago [-]
You must not be in the United States. Here, regular home cable/fiber internet ISPs usually assign a (dynamic) public ipv4 address to your router. Your cellular internet connection is usually behind cgnat, both on your phone and the new home wireless internet from the cellular providers, but regular home cable/fiber internet is the most common home internet type.
So I agree that the watch would likely be behind NAT (for IPv4), I just disagree with the statement that ISPs usually put their customers behind cgnat.
Article was a bit of a nothingburger for the technically inclined.
Digging into the paper, the significant finding (RCE) is achieved via:
A payload was written which installs a reverse shell backdoor for root persistence. The payload was sent from a computer hosting a Wi-Fi to which the watch was connected, to ensure the watch had a reachable IPv4 address.
The program ncat was used both to send the payload to the watch's network service, and to catch reverse shell connections.
So if i understand this- it requires the watch being connected to a compromised AP. Anyone get a different read?
purplehat_ 2 hours ago [-]
The quote seems to imply that if the watch receives the payload from any source, even without a compromised AP, it'll pop the shell.
The easiest source of this is local network attacks, and it's not that unusual. In this case you could imagine a teacher at school who knows how to use Metasploit.
It doesn't seem like it has to be local network, though, the computer just has to receive the packet somehow. So for example if the watch loads a website or connects to some service on the internet (firmware updates, cloud sync, telemetry, whatever), an attacker could try to receive/intercepts/redirect that traffic and serve the payload through that channel.
You might need the watch has no certificate pinning or weak certificate validation if it's using TLS but IoT devices often skip TLS.
Let me know if I'm misunderstanding the quote.
pixl97 4 hours ago [-]
Hence why modern secure devices use https to ensure MITM doesn't work because the internet is untrusted at large.
j45 4 hours ago [-]
Someone really needs to make a watch for kids sans touchscreen but with enough features for parents.
defraudbah 6 hours ago [-]
which smartwatch was that?
the source linked in the article is dead, and I only see that AI slop comment here
-- MyFirst Fone R1, singapore
funny that it's called my first, find my first upon your device, haha
> In this thesis, welldocumented grey-box ethical hacking is conducted of the network service and firmware attack surfaces of the children’s smartwatch myFirst Fone R1s.
octoclaw 5 hours ago [-]
[dead]
fleahunter 6 hours ago [-]
[dead]
Rendered at 22:37:00 GMT+0000 (Coordinated Universal Time) with Vercel.
A former student at KTH Royal Institute of Technology has demonstrated how a popular children’s smartwatch can be fully compromised over the internet. In his thesis, “Ethical Hacking of a Smartwatch for Kids: A Hacker’s Playground,” Gustaf Blomqvist conducted an ethical security assessment of a widely sold kids’ smartwatch and found what he describes as severe security flaws.
The device, identified in Swedish media as the MyFirst Fone R1s by MyFirst, exposed an insecure network service directly to the internet. By scanning for devices, an attacker could identify watches and take complete control of them remotely.
According to the findings, an attacker could access the camera and microphone, eavesdrop on surroundings, read and manipulate text messages, send arbitrary messages, and potentially use the device in denial-of-service attacks. In total, 17 vulnerabilities were discovered.
Blomqvist also found preinstalled malicious code on the watch. The device reportedly connected periodically to a remote server and transmitted detailed information about its contents. The update mechanism for that code was itself vulnerable, making it possible to install additional malicious software.
Children’s smartwatches are marketed primarily as safety devices so that parents can stay in contact with their children. However, the research suggests these products may introduce serious privacy and security risks instead.
Blomqvist says he reported the vulnerabilities to the manufacturer and initially received instructions on where to submit the details, but after that communication stopped. Pontus Johnson, professor of cybersecurity at KTH, commented that many software-based systems remain highly vulnerable and that smaller manufacturers may lack the resources to properly address security issues.
The EU Cyber Resilience Act introduces mandatory cybersecurity requirements for connected products, but full enforcement will not take effect until 2027.
Sources: kth.se, expressen.se
I've seen larger firms that have come to own some software like this from buyouts and on the first analysis they'll find hundreds of shockingly easy exploits like RCE's in them.
Along with this I've seen the number of software vulns reported by closed source software is no where close to what they find and fix silently at a huge number of companies.
After skimming through the attacks performed in this research, and checking every mention of the word "internet", all I got was a section with a hypothetical scenario where the watch has a publicly reachable IPv4 address. Suffice to say, that is really quite unlikely, certainly in my experience at least.
It did also talk about bundled malware, so I guess that's bad enough, but is all IoT research like this? Always sounded to me like you kinda need to already have a foot in the door for these, and this paper didn't dispel that notion for me at all.
Either vendor might see the flaw as low-severity. So what if someone can send packets? So what if someone already on the local network can hack the camera? But combine them and you're pwned.
In theory I should be able to take a modern browser/device over a completely compromised router and either be safe, or have my device tell me "holy shit, something is wrong".
The days of local trust should be long gone by now.
Attacker reachable, presumably? Like from a hacked cable modem or wifi router?
Or one of your other IoT / smart home devices / malware on your PC is doing local network reconnaissance? Connecting this device to a public wifi? Or just a bad neighbour who hijacks your SSID? This smells of "I'm secure because I'm behind a NAT" which conveniently ignores the couple dozen other paths an adversary could take.
- suggesting that it's a good security solution
- suggesting that it's a security solution to begin with
- suggesting that it somehow prevents all avenues of remote exploitation
What it does do is make these stories sound a lot less dramatic. Because no, John Diddler is not going to be able to just hop on and get into your child's smartwatch to spy on them from the comfort of their home on the other side of the world at a whim, unlike these headlines and articles suggest at a glance. Not through the documented exploitation methods alone anyways, unless my skim reading didn't do the paper justice.
Remaining remote exploration avenues do include however:
- the vendor getting compromised, and through it the devices pulling in a malicious payload, making them compromised (I guess this kinda either did happen or was simulated in the paper, but this is indirect and kind of benign anyways; you implicitly trust the vendor every time you apply a software update since it's closed source)
- the vendor being a massive (criminal?) doofus and just straight up providing a public or semi-public proxy endpoint, with zero or negligent auth, through which you can on-demand enumerate and reach all the devices (this is primarily the avenue I was expecting, as there was a car manufacturer I believe who did exactly this)
- peer to peer networking shenanigans: not sure what's possible there, can't imagine there not being any skeletons in the closet, would have been excited to learn more
List not guaranteed complete. But this is the kinda stuff I'd be expecting when I see these headlines.
Yes, it's an exploit. It should be fixed. But the endless hyperventilating over fringe exploits mostly has the effect that people now ignore all security conversations.
Carrier-grade NAT (CGN or CGNAT), also known as large-scale NAT (LSN), is a type of network address translation (NAT) used by Internet service providers (ISPs) in IPv4 network design. With CGNAT, end sites, in particular residential networks, are configured with private network addresses that are translated to public IPv4 addresses by middlebox network address translator devices embedded in the network operator's network, permitting the sharing of small pools of public addresses among many end users. This essentially repeats the traditional customer-premises NAT function at the ISP level.
Having said that, NAT isn’t a firewall.
Why is that? Are the cellular carriers blocking access?
So I agree that the watch would likely be behind NAT (for IPv4), I just disagree with the statement that ISPs usually put their customers behind cgnat.
Same professor, Pontus Johnson, is mentioned that story.
Digging into the paper, the significant finding (RCE) is achieved via:
A payload was written which installs a reverse shell backdoor for root persistence. The payload was sent from a computer hosting a Wi-Fi to which the watch was connected, to ensure the watch had a reachable IPv4 address. The program ncat was used both to send the payload to the watch's network service, and to catch reverse shell connections.
So if i understand this- it requires the watch being connected to a compromised AP. Anyone get a different read?
The easiest source of this is local network attacks, and it's not that unusual. In this case you could imagine a teacher at school who knows how to use Metasploit.
It doesn't seem like it has to be local network, though, the computer just has to receive the packet somehow. So for example if the watch loads a website or connects to some service on the internet (firmware updates, cloud sync, telemetry, whatever), an attacker could try to receive/intercepts/redirect that traffic and serve the payload through that channel.
You might need the watch has no certificate pinning or weak certificate validation if it's using TLS but IoT devices often skip TLS.
Let me know if I'm misunderstanding the quote.
the source linked in the article is dead, and I only see that AI slop comment here
-- MyFirst Fone R1, singapore
funny that it's called my first, find my first upon your device, haha
> In this thesis, welldocumented grey-box ethical hacking is conducted of the network service and firmware attack surfaces of the children’s smartwatch myFirst Fone R1s.