Backdoorer the Xplora: Kids' smartwatches can secretly take pics, record audio on command by encrypted texts

The Xplora 4 smartwatch, made by Chinese outfit Qihoo 360 Technology Co, and marketed to children under the Xplora brand in the US and Europe, can covertly take photos and record audio when activated by an encrypted SMS message, says Norwegian security firm Mnemonic.

This backdoor is not a bug, the finders insist, but a deliberate, hidden feature. Around 350,000 watches have been sold so far, Xplora said. Exploiting this security hole is essentially non-trivial, we note, though it does reveal the kind of remotely accessible stuff left in the firmware of today's gizmos.

"The backdoor itself is not a vulnerability," said infosec pros Harrison Sand and Erlend Leiknes in a report on Monday. "It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch."

The researchers suggested these smartwatches could be used to capture photos covertly from its built-in camera, to track the wearer's location, and to conduct wiretapping via the built-in mic. They have not claimed any such surveillance has actually been done. The watches are marketed as a child's first phone, we're told, and thus contain a SIM card for connectivity (with an associated phone number). Parents can track the whereabouts of their offspring by using an app that finds the wearer of the watch.

It is a feature set developed with intent, with function names that include remote snapshot, send location, and wiretap. The backdoor is activated by sending SMS commands to the watch

Xplora contended the security issue is just unused code from a prototype and has now been patched. But the company's smartwatches were among those cited by Mnemonic and Norwegian Consumer Council in 2017 for assorted security and privacy concerns.

Sand and Leiknes noted in their report that while the Norwegian company Xplora Mobile AS distributes the Xplora watch line in Europe and, as of September, in the US, the hardware was made by Qihoo 360 and 19 of its 90 Android-based applications come from the Chinese company.

They also pointed out that in June, the US Department of Commerce placed the Chinese and UK business groups of Qihoo 360 on its Entities List, a designation that limits Qihoo 360's ability to do business with US companies. US authorities claim, without offering any supporting evidence, that the company represents a potential threat to US national security.

In 2012, a report by a China-based civilian hacker group called Intelligent Defense Friends Laboratory accused Qihoo 360 of having a backdoor in its 360 secure browser [[PDF]].

In March, Qihoo 360 claimed that the US Central Intelligence Agency has been conducting hacking attacks on China for over a decade. Qihoo 360 did not immediately respond to a request for comment.

According to Mnemonic, the Xplora 4 contains a package called "Persistent Connection Service" that runs during the Android boot process and iterates through the installed apps to construct a list of "intents," commands for invoking functionality in other apps.

With the appropriate Android intent, an incoming encrypted SMS message received by the Qihoo SMS app could be directed through the command dispatcher in the Persistent Connection Service to trigger an application command, like a remote memory snapshot.

Exploiting this backdoor requires knowing the phone number of the target device and its factory-set encryption key. This data is available to those to Qihoo and Xplora, according to the researchers, and can be pulled off the device physically using specialist tools. This basically means ordinary folks aren't going to be hacked, either by the manufacturer under orders from Beijing or opportunistic miscreants attacking gizmos in the wild, though it is an issue for persons of interest. It also highlights the kind of code left lingering in mass-market devices.

In response to an inquiry from The Register, Xplora, which maintains its own backend infrastructure on AWS in Germany for the smartwatches it distributes, said it has taken steps to address the situation that include the release of a firmware patch.

"Xplora takes privacy and any potential security flaw extremely seriously," the company said in an emailed statement. "Since being alerted, we developed a patch for the Xplora 4 that will eliminate this potential issue and we pushed it out prior to 8am CET on October 9."

The company claimed the security concern arises from code included in prototypes that isn't easily accessible. When the smartwatch was being designed, the company says, parents provided feedback indicating that they want to be able to contact their children in an emergency and to be able to obtain location imagery in the event of a kidnapping.

Xplora included the snapshot and other features as part of a prototype test but decided not to implement them in the commercial release due to privacy concerns.

"It is important to note that the potential flaw requires physical access to the X4 watch and the private phone number," Xplora's spokesperson said. "Even if this is activated, the only place the image would go is to Xplora’s server in Germany located in a highly-secure Amazon Web Services environment which is not accessible to third parties."

The spokesperson said the company has conducted an audit since it was notified of the security report and found no evidence the security flaw was being exploited. ®