A recent report claims that the Xplora 4 smartwatch made by the Chinese-owned company Qihoo 360 Technology and marketed to children in the U.S. and Europe can secretly take photos and record audio when activated by an encrypted SMS message.
The Register reports that a recent study by the Norwegian security firm Mnemonic has discovered that the Xplora 4 smartwatch manufactured by the Chinese tech firm Qihoo 360 Technology and marketed to children in the U.S. and Europe can covertly take photos and record audio when it receives an encrypted SMS text message. Some of the commands available include remote snapshot, location checks, and “wiretap.”
Mnemonic alleges that the backdoor is not a bug but a deliberate secret feature. Approximately 350,000 of the watches have been sold so far and Mnemonic states that the security backdoor is easily exploited. Infosec experts Harrison Sand and Erlend Leiknes said in a report on Monday: “The backdoor itself is not a vulnerability. It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch.”
The researchers suggested that the smartwatches could be used to capture photos secretly from its built-in camera, track the wearer’s location, and conduct wiretapping via the devices’ built-in microphone. Xplora alleges that the security issue is just unused code from a prototype and has now been patched, however, the company’s smartwatches were previously cited by mnemonic and the Norwegian Consumer Council in 2017 for assorted security and privacy concerns.
The report further notes that in June the U.S. Department of Commerce placed the Chinese and UK business groups of Qih00 360 on its Entities List, a designation limiting the company’s ability to do business in the U.S.
“Xplora takes privacy and any potential security flaw extremely seriously,” the company said in an emailed statement. “Since being alerted, we developed a patch for the Xplora 4 that will eliminate this potential issue and we pushed it out prior to 8am CET on October 9.”
The spokesperson added: “It is important to note that the potential flaw requires physical access to the X4 watch and the private phone number. Even if this is activated, the only place the image would go is to Xplora’s server in Germany located in a highly-secure Amazon Web Services environment which is not accessible to third parties.”
Read the full report from Mnemonic here.
Lucas Nolan is a reporter for Breitbart News covering issues of free speech and online censorship. Follow him on Twitter @LucasNolan or contact via secure email at the address firstname.lastname@example.org