Smartwatches for children are on the rise. As internet-connected surveillance and communication devices attached to children, their security is important. However, previous work on their security suffers from inadequate documentation, and their network service and firmware attack surfaces are unstudied and only little studied, respectively. In this thesis, welldocumented grey-box ethical hacking is conducted of the network service and firmware attack surfaces of the children’s smartwatch myFirst Fone R1s. The methodology is based on PatrIoT and consists of five stages: planning, threat modelling, exploitation, reporting, and evaluation. As a result, one network service vulnerability and 16 firmware vulnerabilities are discovered, including preinstalled malware. An attacker can obtain persistence as root on the watch through a highly practical attack using any of five entry points, three being remotely exploitable, and one being the network service vulnerability. In particular, an attacker can scan the internet to enumerate watches, and then easily and covertly seize control of them. It is concluded that the security of the watch’s network service and firmware attack surfaces is remarkably poor and definitely inadequate. This thesis improves the understanding of the security of children’s smartwatches, highlights the importance of comprehensive attack surface coverage, and warrants future work on children’s smartwatches and the preinstalled malware. Coordinated vulnerability disclosure (CVD) has largely failed.
Gustaf Blomqvist (Wed,) studied this question.