Smartwatch apps let parents keep track of kids, but data breaches mean strangers can watch them
Kate* lives with her family in a small city in north-eastern Switzerland. Image: Darren McCormack
We’ve never met six-year-old Kate*. But we know a lot about her.
We know she was born on October 8, 2013, and lives with her family in a small city in north-eastern Switzerland, renowned for its monasteries.
We know exactly where she was at 7.47am on any other ordinary day – down to the street number, name and suburb.
In fact, we can even show you.
Kate* could be tracked down to this street, where another one of her family members was also pinged. Photo: Google Earth
But Kate doesn’t know that we know all this – or that we even exist.
She is one of a number of people whose personal information – including real-time locations, phone numbers, dates of birth and contacts – were inadvertently exposed in what has been described as a “concerning” data breach.
‘I could go in there and start messaging them’
From the other side of the globe, Darren McCormack inadvertently found himself entwined in the lives of a group of complete strangers.
The father of four from Perth bought his daughter a TCL MoveTime Family Watch for Christmas.
It functions just like a mobile phone, but with the added ability to view the wearer’s location.
Last month, after his daughter set out for a bike ride with her older sister, he logged into the device’s smartphone app to see where they were.
Kate’s real name, birthday and phone number were also exposed (and have been removed for privacy reasons). Image: Darren McCormack
“There was a little button down the bottom that said connect with Facebook. I clicked it and it came up straight with one of those first screenshots, this random person’s account,” he said.
“I clicked through the settings, I could see their GPS location, their phone numbers, dates of birth. I could go in there and start messaging them.”
In some cases, he was even able to play voice messages that children had left for their parents.
Each time he tried to log into the app, it would connect him with “a random person’s account”, where their personal information was again exposed.
“The concerning part is, I don’t know whether or not my daughter’s information was disclosed to someone else throughout that weekend,” he said.
“You’ve got no way to know.”
‘Anybody could potentially track someone’
According to Damien Manuel, the director of Deakin University’s Cyber Security Research and Innovation Centre (CSRI) and chairman of the Australian Information Security Association (AISA), this kind of breach is “pretty common”.
“The challenge with all of this stuff is it relies on good authentication processes and mechanisms put in by device manufacturers or software manufacturers,” he said.
One user, whose information was accidentally shared with Darren, was logged at this park. Photo: Darren McCormack/Google Earth
“Because they’re always trying to compete with each other and get the latest version out really quickly, a lot of testing doesn’t necessarily occur and there’s bugs.”
These bugs – including data leaks and other security flaws – have been well documented in a range of tracking brands since the fruition of this technology in the market, prompting countries such as Germany to ban their sale outright.
Across the pond, US consumer groups have asked the government to investigate if they run afoul of laws concerning privacy and consumer protection.
But while there are valid questions as to whether it really matters if a stranger on the other side of the world has access to our personal information, Mr Manuel says consumers should be “very careful”.
“There’s the chance that if [Darren] could do that, that other people could see his daughter as well,” he said.
“Be cautious of the fact that if you can track somebody, anybody else could potentially track someone.”
This man’s name, number, safe zone, contacts and more were available to see. Image: Darren McCormack
‘We apologise to any users who were impacted by this issue’
When contacted by the ABC, a spokesperson for TCL Communications, which manufactures the watch, said the issue had since been rectified.
“After checking on this report further, it was found that a software bug was the root cause of this issue,” they said.
“Our teams identified this prior to you contacting us and this was corrected with an update on January 28 – less than 24 hours after it was first detected.
“We apologise to any users who were impacted by this issue, but they should rest assured that we take the data security and privacy of our customers very seriously and make every effort to avoid these issues.”
Mr McCormack, who says he noticed the issue on January 25, has been keeping a “close eye” on the device ever since.
“You’ve got no way to know whether or not my daughter’s personal information was disclosed, her location, date of birth, phone number,” he said.
“I’ve been keeping an eye on the device and haven’t seen any contacts, but it’s obviously very concerning.”
*Names have been changed for privacy reasons.