back to article European Commission orders mass recall of creepy, leaky child-tracking smartwatch

The European Commission has ordered the recall of a smartwatch aimed at kids that allows miscreants to pinpoint the wearer's location, posing a potentially "serious risk". The commission uses its Rapid Alert System for Non-Food products (Rapex) to send out alerts to other nations in the European Economic Area about dangerous …

  1. Mage Silver badge
    Big Brother

    Tip of the Iceberg

    All internet connecting, WiFi, Bluetooth toys should be banned. Adults can choose to be daft with IoT, but kids usually have no choice.

    Also see Vtech toys.

    I know people are fed up about Brexit, but orders like this and the rather abused CE mark will have no validity in UK after Brexit. The Pre-CE and other before EU and European (ESTI etc) standards may not exist today or have validity after Brexit. No doubt there is a cunning plan to have British standards for RFI, Toxicity, child safety, data privacy, materials hazards and what not. Except I can't find it.

    1. Mark 85 Silver badge

      Re: Tip of the Iceberg

      In reading about Brexit, it seems that all things IT are somewhere on the back burner. I believe it's one of those "IT? Security? We've heard of it but have other things first." Translation is: "We know diddly squat about IT or IT Security so we're ignoring it.".

      1. Ken 16 Silver badge

        Re: Tip of the Iceberg

        if you applied that logic to all parts of the problem that MPs don't understand they'd be ignoring all facts.

        Oh, wait!

    2. Dan 55 Silver badge

      Re: Tip of the Iceberg

      Using the UKCA marking if the UK leaves the EU without a deal

      However you're right, IoT stuff is not included in the new UKCA mark, they're happy to accept CE for those. So whereas a CE-marked IoT product may be withdrawn in the EU, it seems there'll be no corresponding way of getting it withdrawn in the UK, just like there wouldn't be way of getting a FCC-marked product imported from the US withdrawn in the UK if it were withdrawn in the US.

      1. spold Bronze badge

        Re: Tip of the Iceberg

        >>>there'll be no corresponding way of getting it withdrawn in the UK

        The cunning plan is since they are hackable and geo-locatable then we can communicate to little Timmy that he needs to go and deposit his smartwatch in the bin. We can tell if he has done it, and if not we know where he is and can go round and rip it off his arm.

        Sorted.

        1. TimMaher
          Coat

          Re: Tip of the Iceberg

          But... but... I’ve only just started wearing it. And a nice man phoned me up to be my friend. Sob! Gasp!

          You can imagine the state of my coat.

      2. This post has been deleted by its author

        1. big_D Silver badge

          Re: Tip of the Iceberg

          Having put many locally manufactured products through CE certification with TÜV Nord in Germany, it most certainly doesn't mean China Export.

          1. Spazturtle Silver badge

            Re: Tip of the Iceberg

            He is getting mixed up because China have introduced a CE logo that does mean China Export, they have done this deliberately to confuse consumers.

            Comparison of the two logos: https://i.imgur.com/8MpCgKk.jpg

        2. katrinab Silver badge

          Re: Tip of the Iceberg

          That's a different symbol.

          In the Conformité Européenne mark, the C is a semi-circle, and if you complete the circle, it touches the edge of the E, whereas with the China Export mark, the circle reaches the middle of the E.

          1. TRT Silver badge

            Re: Tip of the Iceberg

            Still not as nice a design as the BSI kite mark.

            1. Ken 16 Silver badge

              Re: Tip of the Iceberg

              you'll get that back with Brexit, at least.

              1. TRT Silver badge

                Re: Tip of the Iceberg

                Unfortunately, they've come up with a really crappy CEUK mark instead.

        3. David Nash Silver badge

          Re: Tip of the Iceberg

          China Export is the other one, cunningly designed to look almost but not quite entirely unlike the CE mark.

    3. Anonymous Coward
      Anonymous Coward

      Re: Tip of the Iceberg

      @Mage "No doubt there is a cunning plan to have British standards for RFI, Toxicity, child safety, data privacy, materials hazards and what not. Except I can't find it."

      Out means out. No one (who loyally vote leave) cares about any of that stuff, just so long as the UK is no longer a vassal state of the EU and free from stupid Brussels rules and regulations that GB had absolutely no hand in crafting whatsoever.

      1. Casca

        Re: Tip of the Iceberg

        Nice going there. Too bad that UK was one of the countrys with greatest influence in EU...

        1. MJB7

          Re: Tip of the Iceberg

          Whoosh!

          (At least, I'm pretty sure the comment was supposed to be ironic. Admittedly, it can be hard to tell.)

          1. Evil Auditor Silver badge

            Re: Tip of the Iceberg

            I'm pretty sure the comment was supposed to be ironic.

            Most certainly it is ironic. Anything else wouldn't make any sense at all.

      2. Mark 108

        Re: Tip of the Iceberg

        You do know that the UK has 73 MEPs in the EU parliament, I would hardly call that no say.

        1. Trigonoceps occipitalis

          Re: Tip of the Iceberg

          The one wee problem is that they have as much influence as the other MEPs.

        2. Justthefacts

          Re: Tip of the Iceber

          Of course 73 MEPs is “no say”. None of the 751 MEPs have any “say” in policy.That’s not their role. The EU institutions weren’t just carbon copied from the U.K. version of representative parliamentary democracy. It was never designed to be, and does not claim to be in its constitution or practice.

          The primary institutions are:

          The Commission is the executive, and is not an elected body. It proposes, and executes all policy, and is the budget holder. This is “who runs the EU” in the sense that a CEO and Directors run a company. That’s not an insult, it’s simply the facts of the Constitution.

          The Council of Ministers consists of the Heads of Government of the EU27.It “decides direction of policy” (but not propose laws, and cant overrule the Commission) and sorta kinda appoints the Commission President. Except it doesn’t. It’s “complicated”. Depending on how you like your metaphors, the Council is equivalent to either the shareholders, or the Queen.

          The European Parliament, is allowed to vote only on matters already discussed and proposed by the Commission. Its only powers are to request the policy to be amended and re-submitted (which it only rarely does) and it is not allowed to simply refuse when re-submitted. Although not an exact analogy, it is similar to our House of Lords.

          The EU is a radically different political system, which inverts and re-allocates power between Civil Service, elected and appointed Houses. It happens to use words like “parliament”, but those words have very different meanings and weights to what we are familiar with. There are more types of democracy than you think, and the EU style inherits more from that of the Catholic Church and Holy Roman Empire than it does from Westminster.

          1. J.G.Harston Silver badge

            Re: Tip of the Iceber

            The EU political system is reminicent of Chiang Kai-shek's concept of Parliamentary democracy, where the Legislature was explicitly an arm of government and was explicitly there to create the laws the government told it to do.

      3. Kane Silver badge
        Go

        Re: Tip of the Iceberg

        "Out means out. No one (who loyally vote leave) cares about any of that stuff, just so long as the UK is no longer a vassal state of the EU and free from stupid Brussels rules and regulations that GB had absolutely no hand in crafting whatsoever."

        Invoking Poe's Law.

      4. Ken 16 Silver badge

        Re: Tip of the Iceberg

        How are you going to exercise your Sovereignty?

        Is that similar to droit du seignour?

    4. big_D Silver badge

      Re: Tip of the Iceberg

      A similar watch was banned in Germany last year.

      It allowed the "parent" to listen in on the child at any time, including when they were with friends or in school - which is an invasion of privacy, under German law everybody who can be heard by the device must give their permission, before they can be listened to, as the device listens without warning, it was deemed illegal.

      Parents had to return it to the retailer and get their money back or have it destroyed and get a certificate showing it had be correctly destroyed and disposed of.

      1. Anonymous Coward
        Anonymous Coward

        Re: Tip of the Iceberg

        Almost as if Germans had a bad experience with families spying on each other and don't want to repeat that. I wonder how they feel about 'physical infrastructure' splitting countries in two?

        1. A.P. Veening

          Re: Tip of the Iceberg

          "I wonder how they feel about 'physical infrastructure' splitting countries in two?"

          For Germans that is ancient history, I suggest asking people for whom it is current reality (Koreans).

          1. Ken Hagan Gold badge

            Re: Tip of the Iceberg

            A quarter of a century is not "ancient history". It's the gap between WW1 and WW2, for example, and you'd be a fool to suggest that the Germans had forgotten the former by the start of the latter. It is also less than the gap between WW2 and my childhood, during which I distinctly remember West Germany being an inspiring example of how *not* to forget the important stuff of history.

          2. big_D Silver badge

            Re: Tip of the Iceberg

            For those born after 2000, maybe. For those born in the 20th Century, the aftermath of facism and communism still runs very deep.

            For those that grew up in the East, it is especially deep ingrained.

            I have a friend who was a teacher at a school in the DDR and lost her Job because one of the other teachers was a Stasi spy and reported her less than euphoric opinion of the Party - she didn't say anything negative, she just wasn't positive enough on that one occassion. She lost her job and could never work as a teacher again.

            For people who grew up not knowing whether their parents, their spouse or their children might be spying on them for the Stasi, it is easy to see how the population in general has a hard time coming to terms with governments or corporations spying on them.

            That is why drones can't be flown over industrial or residential areas, why number plate recognition cameras are illegal in most states and why CCTV is generally frowned upon and only allowed under certain circumstances.

            Dashcams are quasi illegal - you can only use them to record the last 30 seconds before an accident and you (theoretically) can't upload it to YouTube, you can't use it to report someone and if you do upload it, you have to make the numberplates unrecognisable.

            Given that background, it is easy to understand why people are reticent to let Google & Co. track them.

            My better half is a native German and when she is at a party and people make photos, she explicitly states that they do not have her permission to upload any photos with her in them to the Internet. No tech is allowed into the house with a microphone or camera, with the exception of a smartphone, the laptop and tablet have their cameras taped over.

  2. steviebuk Silver badge

    Cloudpets

    Amazon don't appear to give a shit about resellers selling Cloudpets as they are still available via Amazon resellers. They won't give a shit until it appears in the news that is, then suddenly they'll give a shit or at least pretend to.

    1. Dan 55 Silver badge

      Re: Cloudpets

      They'll only give a shit if they're fined for it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cloudpets

        and then only if the fine is more than the profit margin - which is never is.

        1. A.P. Veening

          Re: Cloudpets

          "and then only if the fine is more than the profit margin - which is never is."

          They will also give a shit when it hits their reputation hard enough the bottom line feels it.

          1. steviebuk Silver badge

            Re: Cloudpets

            Which unfortunately will never happen.

          2. Carpet Deal 'em

            Re: Cloudpets

            Amazon's had more scandals than Facebook at this point. I'm not sure it's even possible for them to screw up badly enough to impact their revenues.

  3. jdb3

    Is it just me, or is that a horrible acronym for this system? At the very least, they could have stuck with 'RAS-NF' or even 'RASNF'. 'Rapex'? That's just wrong.

    1. 10forcash

      Wrong in this context, potentially humerous in others... internet connected sex toys for example?

      1. Mage Silver badge
        Paris Hilton

        Re: internet connected sex toys

        You mean Teledildonics?

        Can we get these people shut down or shut down bitcoin? People keep telling me Bitcoin is traceable. Obviously criminals don't think so.

        I'm sure most people realise these emails are fake (usually).

        However the possible financial opportunities for Teledildonics compared to Teddy Bears, smart watches, baby monitors or IoT such as Nest are amazing.

        I suppose it's a change from people that may or may not be Nigerians offering commission on funds transfer.

        ---------------------------------------------------------------------------------

        Hello!

        I have very bad news for you.

        03/09/2018 - on this day I hacked your OS and got full access to your account *******@*******.***

        On this day your account *******@*******.*** has password: smagfest

        So, you can change the password, yes.. But my malware intercepts it every time.

        How I made it:

        In the software of the router, through which you went online, was a vulnerability.

        I just hacked this router and placed my malicious code on it.

        When you went online, my trojan was installed on the OS of your device.

        After that, I made a full dump of your disk (I have all your address book, history of viewing sites, all files, phone numbers and addresses of all your contacts).

        A month ago, I wanted to lock your device and ask for a not big amount of btc to unlock.

        But I looked at the sites that you regularly visit, and I was shocked by what I saw!!!

        I'm talk you about sites for adults.

        I want to say - you are a BIG pervert. Your fantasy is shifted far away from the normal course!

        And I got an idea....

        I made a screenshot of the adult sites where you have fun (do you understand what it is about, huh?).

        After that, I made a screenshot of your joys (using the camera of your device) and glued them together.

        Turned out amazing! You are so spectacular!

        I'm know that you would not like to show these screenshots to your friends, relatives or colleagues.

        I think $728 is a very, very small amount for my silence.

        Besides, I have been spying on you for so long, having spent a lot of time!

        Pay ONLY in Bitcoins!

        My BTC wallet: 1E5XMWQtyYnCY4LkLnjMtqBMQNnC1KS3m3

        You do not know how to use bitcoins?

        Enter a query in any search engine: "how to replenish btc wallet".

        It's extremely easy

        For this payment I give you two days (48 hours).

        As soon as this letter is opened, the timer will work.

        After payment, my virus and dirty screenshots with your enjoys will be self-destruct automatically.

        If I do not receive from you the specified amount, then your device will be locked, and all your contacts will receive a screenshots with your "enjoys".

        I hope you understand your situation.

        - Do not try to find and destroy my virus! (All your data, files and screenshots is already uploaded to a remote server)

        - Do not try to contact me (you yourself will see that this is impossible, I sent you an email from your account)

        - Various security services will not help you; formatting a disk or destroying a device will not help, since your data is already on a remote server.

        P.S. You are not my single victim. so, I guarantee you that I will not disturb you again after payment!

        This is the word of honor hacker

        I also ask you to regularly update your antiviruses in the future. This way you will no longer fall into a similar situation.

        Do not hold evil! I just do my job.

        Good luck.

        1. steviebuk Silver badge

          Re: internet connected sex toys

          That's funny as we get those phishing emails at work. 365 is doing a shit job as seeing what they are so they are ending up in peoples inboxes.

    2. big_D Silver badge

      It depends on where you put the emphasis - and where your mind is.

      Is it Rap-Ex or Rape-X? I read it as the former for the first half of the article. The name probably got passed, because English is not the native language of most of the people involved.

      Maybe if it had been called VergewaltigungX the Germans might have complained...

  4. Anonymous Coward
    Anonymous Coward

    But adults have the same crap

    Should we just give the kids phones just like adults have?

    You know, with the tracking apps by google and facebook, the map apps tracking location, the Find My Phone app that anyone can tap into (if they know who to ask). The phone that any ISM catcher can hear and see all the data that passes through. Maybe some Facetime so people can watch and listen to you all day.

    To bad nobody protects the adults like the kids, our phones/tracking devices leak data as if - they - were - made - to........

    1. big_D Silver badge
      Boffin

      Re: But adults have the same crap

      Adults "know" the risks and can make an informed decision, whether they want to be tracked or not.

      Well, that is the theory at least.

    2. JetSetJim Silver badge

      Re: But adults have the same crap

      > Find My Phone app that anyone can tap into (if they know who to ask)

      err - if you know The Right Person (TM) you can trace any phone (assuming that person is happy to break the law) - there's a call trace function in the network used for legal intercept and also for network optimisation - if you know the right person in the Network Operations Centre, you can give them an IMSI or IMEI and it can be traced to a resonably high degree of accuracy. If you know The Right Person (TM), you could place a legal Intercept tap on the calls, but that person would probably pretty swiftly get sacked and arrested as these things are rigorously documented in logs. Regarding the Find My Phone feature, presumably you need to know The Right Person (TM) in Apple, or conceivable some naughty hacker who can get into the Apple account.

      IMSI catchers? Well, they are about, and nefarious deeds can be done with them I'm sure, but they'll cost $1-2k to make at a minimum, and are localised in effect. Not sure they can access any data on the phone, as they operate lower down the protocol stack only, and the higher layers are all encrypted. The only way to get higher layer access is to also impersonate the core network (conceivable, as there are open-source implementations - it may be simply a case of setting the MNC/MCC correctly, but I suspect the phone might reject it due to different APN settings which would need provisioning - suspect you'd need cooperation from the network, which is why law enforcement can use them easily, and perhaps not so easy for tech-hacker-types)

  5. FozzyBear Silver badge
    Unhappy

    Child tracking watches, IoT based toys, Smart phones, tablets, xbox or Playstation.

    Dear Parents,

    All of these options cannot replace you putting down your smartphone, tablet, xbox or playstation. Going outside and spending time with your children. Sort of like what parents did in the olden days. If you are too lazy to even think about this, or it terrifies you, why did you have kids in the first place?

    The world doesn't need a whole generation of kids that were raised without parental involvement.

    1. Doctor Syntax Silver badge
      Unhappy

      "Sort of like what parents did in the olden days."

      That might be an assumption too far for some parents.

    2. Aladdin Sane Silver badge

      Re: The world doesn't need a whole generation of kids that were raised without parental involvement.

      That's what nannies are for.

      1. Ken 16 Silver badge
        Childcatcher

        Re: The world doesn't need a whole generation of kids that were raised without parental involvement.

        get back in your box, Rees-Mogg!

    3. Anonymous Coward
      Anonymous Coward

      FozzyBear commemted:

      "All of these options cannot replace you putting down your smartphone, tablet, xbox or playstation. Going outside and spending time with your children. Sort of like what parents did in the olden days. If you are too lazy to even think about this, or it terrifies you, why did you have kids in the first place?

      The world doesn't need a whole generation of kids that were raised without parental involvement."

      Your comment is very "Daily Mail" in it's nature.

      ... I'm in my 40s and can quite categorically say my parents didn't do this and I was left to my own devices - had a Commodore 64 to code, Amiga to play and Raleigh bikes to ride. I had technology - pretty much like the modern child now has a tablet or smartphone. I do spend time with my children outside and they are very active. I also take care to warn them of Internet dangers, show them how to be safe online and accept that I won't block them from something that they enjoy but show them how to be responsible and safe.

  6. herman Silver badge

    The watch does exactly what it was designed to do. So the guy who wrote the specification is to blame, not the guy who made it.

    1. JetSetJim Silver badge
      FAIL

      "the guy" who wrote the spec presumably worked for the same company as "the guy" who made it (and presumably can equally blame "the guy" who wrote the list of features for the device that the specs would have been written from). "these guys" did not implement standard application and server security protocols and should be slapped around with laws to get it fixed

  7. redpawn Silver badge

    Don't be so alarmist

    This is just to get the IoT generation used to the corporate surveillance state. Early exposure will make these children better equipped to function in the brave new IoT world.

    1. Chris G Silver badge

      Re: Don't be so alarmist

      Rather than discontinue the watches, every child should issued one with small modification. Only removable with a special key and an electric shock function that can be controlled remotely.

      " Timmy! It's time for your social alignment lessons"

      "Aww but I wanna play fooAaaargh, I'm going now"

      Bbzzzzt! " Ok ok I'm running there now, I love big brother!".

      1. Mage Silver badge
        Big Brother

        Re: Don't be so alarmist

        I always do what Teddy says, so I'm not alarmed at all,

  8. Flak
    Flame

    Same test results, different conclusion?

    "...they have appealed to the authorities in charge with the demand that this test conclusion would be reversed."

    So let me get this into my head:

    Reported facts:

    - the mobile application accompanying the watch has unencrypted communications with its backend server

    - the server enables unauthenticated access to data

    A malicious user can therefore:

    - send commands to any watch

    - can make any watch call another number of his choosing

    - can communicate with the child wearing the device

    - locate the child through GPS

    But all that is OK because:

    - This RAPEX announcement [is based] on a test in Iceland. --> not sure why a test in Iceland should be invalid - maybe because it is cold there?

    - We think this test was excessive – not reasonable, material or fair – or, based on a misunderstanding or the wrong product (a previous version of the product, which is not in the market anymore) --> which of these excuses will work - none of them, certainly not for those who have already bought the flawed products.

    - We, also, think, that the Test Conclusion of the Bundesnetzagentur is sufficient and rules --> just because one agency has apparently not found any holes in the product it does not follow that there are none - the reported facts clearly show that whatever tests were carried out were clearly not adequate to find the fundamental flaws.

    It simply does not compute.

    1. FrogsAndChips Bronze badge

      Re: Same test results, different conclusion?

      Well, at least they spared us the usual "We take security very seriously" press release.

    2. LDS Silver badge

      "Test Conclusion of the Bundesnetzagentur is sufficient"

      I'm quite sure they just tested the device complies with relevant radio emission and mobile comm regulations and maybe physical safety ones - they never tested the security of the device.

      1. steviebuk Silver badge

        Re: "Test Conclusion of the Bundesnetzagentur is sufficient"

        Or ignored security checks when brown envelopes where slide, quietly over the table.

    3. David Nash Silver badge

      Re: Same test results, different conclusion?

      Yeah that's how it came across to me too "Iceland? Who cares about Iceland, we're in Germany!"

      1. J.G.Harston Silver badge

        Re: Same test results, different conclusion?

        NetNanny's gone to Iceland?

  9. Guus Leeuw

    There's something good here

    Dear Sir,

    <sarcasm>

    4 eyes is better than 2, isn't it.

    </sarcasm>

    Regards,

    Guus

  10. adam payne Silver badge

    We think this test was excessive – not reasonable, material or fair – or, based on a misunderstanding or the wrong product (a previous version of the product, which is not in the market anymore

    Interesting, so you knew about the previous versions having these problems. Didn't say anything and didn't fix the newer version?

    Also if this is an old product and it's not on the market anymore, why are the backend servers still running?

    1. SImon Hobson Silver badge

      Also if this is an old product and it's not on the market anymore, why are the backend servers still running?

      Perhaps "not on the market any more" =/= "no longer used by anyone". Or put another way, you don't shut down the required infrastructure when the last unit goes out the warehouse door - unless you're Google and have just "terminated" Revolv hubs.

      https://www.theregister.co.uk/2016/04/06/nest_kills_revolv/

  11. TRT Silver badge

    Who watches the watch watchers?

    1. Aladdin Sane Silver badge

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019