This blog post provides a technical description of how my colleague Erlend and myself discovered a backdoor in a smartwatch made for children. The device is a wearable smartphone, and the backdoor enables remote and covert surveillance through wiretapping, taking pictures, and location tracking.
The backdoor appears to be authored by the manufacturer of the watch, the Chinese technology company Qihoo 360. The watch is re-branded and sold to European and US markets by the Norwegian firm Xplora, who claim to have sold more than 350 000 smartwatches for children globally.
The backdoor itself is not a vulnerability. It is a feature set developed with intent, with function names that include remote snapshot, send location and wiretap. The backdoor is activated by sending SMS commands to the watch.