This Chinese smartwatch takes photos of users covertly and sends them to the Chinese government

Information security specialists report the detection of a backdoor in the code of a popular smartwatch designed specifically for children. Apparently, this feature would allow any user to activate the device camera remotely, listen to phone calls and track their location in real time.

The X4 smartwatch developed by Norwegian company Xplora, works with Android operating system and can be linked to an app for parents to monitor device usage and even receive alerts about the routines of the child carrying the watch.

A recent research mentioned that backdoor can be activated by sending an encrypted text message to the device. Experts from security firm Mnemonic mention that there are commands to report the real-time location of the watch, activate the camera, among other malicious actions.

Experts also claim that 19 of the apps preloaded on the X4 were developed by the Chinese technology company Qihoo 360, which would also have collaborated on the development of the device. Last June, this Chinese company was included on the U.S. Department of Commerce’s sanctions list for its alleged ties to the Communist Party of China.

In their research, the experts discovered the backdoor using a revolutionary reverse engineering method, starting with a modified USB cable soldered to exposed pins on the back of the watch. Using an interface to update the firmware of the device, it was possible to download the current existing firmware of the watch and inspect its interior, including applications and other code packages.

La imagen tiene un atributo ALT vacío; su nombre de archivo es x4smartwatch01.jpg

For obvious reasons, this is a troubling issue in terms of security and privacy. To make matters worse, the backdoor can be applied to multiple components of the watch by simply using the phone number linked to the device. In this regard, Xplora issued a statement acknowledging the existence of the backdoor and announcing the upcoming release of a security patch, although it also noted that it would be difficult to gain access to affected devices even by exploiting the backdoor successfully. 

Having sold about 100,000 units of the X4 smartwatch, Xplora is already preparing for the launch of the X5 model, although it was not mentioned if similar flaws have been fixed on this device.

Like the company, Mnemonic experts consider it very difficult to exploit the backdoor, as this requires knowing the encryption key of the device in addition to the associated phone number. In conclusion, although the company has made a severe security error and its relationship with China raises suspicions, there are not many reasons for users of these devices to feel monitored.