Parents buying smartwatches for their children might think they are doing the right thing, as these devices help them keep an eye on their kid's location without entrusting them with a pricey, addictive, and easily-broken smartphone.

But security researchers have found gaping holes in the security of a popular range of these kid-friendly wearables. Called Gator, the portfolio of smartwatches is produced by a company called TechSixtyFour and intended for children aged five to 12. Back in 2017, the device range was called out on security flaws discovered by the Norwegian Consumers Council.

Read More:

• 12 IoT hacks and why you need to lock down your smart home in 2019
• Hackers use router vulnerability to take over thousands of Google Home and Chromecast devices
• Now even robotic vacuum cleaners can have their cameras hacked

Gryphon AX – Ultra-Fast Mesh WiFi 6 Parental Control Router – Advanced Content Filters and Next-Gen Firewall - 4.3 Gbps Across 3,000 sq. ft. per Router for Multi-Device Households

List Price: $299.00

New From: $299.00in Stock

Used From: $149.00in Stock

Some retailers removed Gator watches from sale as a result of the findings.

Just over a year later, researchers from UK-based Pen Test Partners (PTP) decided to revisit the Gator watch range and see what improvements had been made. Unfortunately for TechSixtyFour - along with the parents who bought the watches and children that wear them - the news is not good.

"Guess what: a train wreck." PTP said in a post on its website in late-January. PTP went on: "Anyone could access the entire database, including the real time child location, name, parent details etc. Not just Gator watches either - the same backend covered multiple brands and tens of thousands of watches."

PTP found that the location and personal information of 35,000 children and their parents could be viewed through the watch's online portal by anyone with basic cybersecurity knowledge. This is because anyone could manipulate the system to give them full administrative access.

In 2017, the technology press praised Gator watches for their ability to help parents keep in contact with their children without buying them a mobile phone and for their GPS tracking abilities.

On January 11, PTP contacted China-based TechSixtyFour to inform them of the severe flaw. They asked that the problems be fixed within a month, at which point they would publicly announce their findings.

According to PTP's blog post, TechSixtyFour requested two months to address the problem, as it was close to the Chinese New Year. "We were really disappointed by this request, given the sensitivity of the data involved," PTP said.

The watches are intended for children aged between five and 12My Gator Watch

A fix was then made, and PTP validated that the system was secure as of January 16.

PTP adds, before the fix: "We discovered 20,000 accounts on the system, with 35,000 devices affected. This isn't good. Given TechSixtyFour's flawed security history, we would have thought that a thorough security review would have been [sic] undertaken immediately after the findings of the Norwegian Consumer Council were published last year."

Unfortunately, weak security in devices like these is a common problem. Whether it be an internet-connected fish tank thermostat giving hackers access to a casino's database, a child's toy being compromised by hackers able to listen through its microphone, or a robotic vacuum cleaner having its camera compromised, such incidents are widespread.

Smart Watch for Kids 4-12 Years Old with 15 Games Camera Alarm Video Music Player Pedometer Flashlight Birthday Gift for Boys Girls (Pink)

List Price: $23.99

New From: $23.99in Stock

A report in late 2017 claimed that over two-thirds of consumers fear internet-connected devices being hacked. As the Internet of Things grows, the number of potential targets—targets often with weak or broken security—will increase.

PTP added: "We keep seeing issues on cheap Chinese GPS watches...As this product is used by children, its security should be tested regularly and thoroughly...The problem is that the price point of these devices is so low that there is little available revenue to cover the cost of security."

In summary, the security researchers said, "Our advice is to avoid watches with this sort of functionality like the plague. They don't decrease your risk; they actively increase it."

Colleen Wong, founder of TechSixtyFour, told GearBrain: "At Techsixtyfour, the security of our product, My Gator Watch, is of paramount importance. Our business follows all IoT security industry standards and best practices as set out by the IoT Security Foundation.

"Since 2017, we have hired a reputable London cyber security firm with industry-accepted qualifications to do annual full penetration tests as part of our ongoing commitments to security along with monthly automated vulnerability assessments. We have completed our most recent pen test on Jan 30, 2019."

The statement continued: "We appreciate Mr Munro of Pentest Partners disclosing this vulnerability to us, and our team has taken this seriously as our fix was completed within 48 hours. An internal investigation of the logs did not show that anybody had exploited this flaw for malicious purposes.

"In this instance, Mr. Munro gave only a cursory description of the security flaw to resolve this vulnerability before he would disclose it in 30 days time. Our technical team took this high-level description and implemented a partial fix within 12 hours. They then identified the root cause and deployed a full fix within 48 hours of the notification. This process could have been expedited if Mr Munro had shared the low level details of the vulnerability, as we requested and as per the vulnerability disclosure policy of Mr. Munro's organisation."

Dojo Smart internet security and privacy solution for your Wi-Fi network - Safe from hacks, cyberattacks and privacy breaches, 1 year subscription included

List Price: $117.32

New From: $84.00in Stock

Used From: $99.99in Stock