“It’s a failure to correctly check that the person logged in to the account is the person authorised to access that data,” Mr Munro said in an email. “As a result, anyone can access anyone else’s data.”
Mr Munro and Mr Hunt both described the flaw in detail on separate blog posts on their respective websites. Mr Hunt also filmed a video of his six-year-old daughter Elle using the watch and it was remotely accessed by an unauthorised third party, who spoke to her.
“If you can count you can exploit this risk,” Mr Hunt said, describing how the flaw meant it was as easy as changing a number in an URL address to access another child’s smartwatch.
“I would never buy one of these watches for my children.
“The only reason I bought this was to demonstrate the flaw. If I were a parent who bought one with the intention of using it I would return it and ask for a refund.”
The watch, which requires a SIM card and monthly subscription of between $6 and $20, has been on sale in Australia since about 2014 and makes use of hardware made by Chinese company Gator.
The software is developed in partnership with Sri Lanka-based Nibaya, although Ms Cantwell said TicTocTrack dealt with the head of the company’s development team in Perth.
Ms Cantwell described the British security researcher’s explanation of the flaw as “a generalisation”.
“This is yet to be confirmed as an issue beyond the penetration testing conducted by Ken Munro,” Ms Cantwell said, declining to reveal how many TicTocTrack smartwatches have been sold in Australia.
Earlier this month, Ms Cantwell told ABC News that sales had increased by 600 per cent over the past three years. Mr Hunt estimates sales could be around 3500 if the number assigned to the watch he bought was sequential. “We’ll pass on this question,” Ms Cantwell said when asked.
In addition to receiving money from the Queensland government, Ms Cantwell is a registered National Disability Insurance Scheme provider.
In November 2017, news website WeLiveSecurity reported that German parents were being told to destroy smartwatches they bought for their children after the country’s communications regulator put a ban in place to prevent their sale following revelations about similar security flaws.
Ben Grubb is a Desk Editor/Locum Homepage Editor for The Sydney Morning Herald.