Your kid's "smart watch" lets anyone in the world trace their location. Again.

Back in 2017, the Norwegian Consumer Council published a damning report on the privacy leaks from kids' "smart watches," a parade of horrors that included allowing unauthorized third parties to trace your kid's location, and also to covertly eavesdrop through the watches' microphones and bark creepy orders at them through their speakers.

A year later, Pen Test Partners audited the security of the popular Misafe kid smart-watch and guess what? It was a fucking dumpster-fire, too. Six months later, Pen Test Partners checked kids "smart watches" like those from Gator and they were still fucking dumpster-fires. The accumulated evidence was finally enough to prompt a recall of Safe-Kid One, one of the terrible watches.

You'd think that this would be a wake-up call for the kids' "smart watch" sector. You'd be wrong.

This week, nearly two years after the first of these reports were published, Pen Test Partners has audited Tictoctrack, a kids' "smart watch" retailed in Australia, and you will: never. guess. what. they. found.

Tictoctrack is a rebadged Gator watch -- the ones that had to fix a glaring API flaw that Pen Test Partners published on in January -- but because it has its own back-end, one that keeps all kid-data onshore in Australia, it has its own grotesque security defects.

Ticktoctrack paid a Sri Lankan company called Nibaya to develop a new mobile front-end, and hosts the servers with an Australian firm called 6YS. The backend's API allows for wideranging access to all users' data with no meaningful authentication (you need a valid user/pass combo, but you can generate one of these by buying a watch and intitializing it, and thereafter you can access all of the users' accounts). Read the rest