Xplora-Kinderuhr: Sicherheitslücken erlaubten Zugriff auf alle Geräte
Tuesday, December 30, 2025
What
Nils Rollshausen from TU Darmstadt presented critical security flaws in Xplora children's smartwatches at the 39th Chaos Communication Congress (39C3). The vulnerabilities stemmed from easily accessible debug modes and the use of static secrets within the device firmware, which allowed researchers to generate valid API keys for any watch. This enabled attackers to gain complete control over the devices, leading to severe privacy and safety risks for children using these smartwatches.
Where
The vulnerabilities affect Xplora children's smartwatches, manufactured by the Norwegian company Xplora, which has sold over 1.5 million units globally. In Germany, these watches are offered by Telekom in bundle deals. The research was conducted by TU Darmstadt in Germany.
When
The vulnerabilities were presented at the 39th Chaos Communication Congress (39C3). Initial attempts to disclose the flaws to Xplora were difficult, with the vendor's vulnerability disclosure program being faulty and emails going unanswered until about a week before the 39C3 talk. Firmware updates in August and October did not resolve the core issues. Xplora finally made direct contact on December 22 and committed to releasing a comprehensive fix in an update planned for January 2026.
Key Factors
- •Researchers gained initial access to a debug mode by tapping the version number on the watch, similar to Android devices, and then manually brute-forcing a four-digit PIN to unlock it.
- •The core vulnerability lies in the use of static secrets embedded within the smartwatch firmware, which, when combined with publicly available data like timestamps and serial numbers, allowed the generation of valid API keys for any Xplora watch.
- •The exploited flaws enabled severe actions, including remotely manipulating a child's GPS location (demonstrated by virtually 'teleporting' a child to Pjöngjang), intercepting and sending messages, and remotely performing factory resets on devices.
- •Xplora's initial response to the disclosure was poor; their vulnerability disclosure program was broken, and subsequent firmware updates in August and October only changed the debug PIN length and lockout mechanism but failed to rotate the critical static secrets, leaving the primary vulnerabilities unaddressed.
Takeaways
- →Parents should be critically aware of the security posture of smart devices, especially those marketed for children, and demand transparency regarding security practices and timely vulnerability patching from manufacturers.
- →This incident highlights the critical need for robust 'security-by-design' principles in IoT devices, particularly those handling sensitive data or used by vulnerable populations, emphasizing dynamic authentication and proper key management over static secrets.
- →Users of Xplora smartwatches should ensure their devices receive the promised January 2026 firmware update and remain vigilant for further security advisories, as the current vulnerabilities pose significant privacy and safety risks.
Opens original article on Heise Security
