Discussion

A KTH student hacked a children's watch

coredev_: I'm very excited for EUs CRA, very promising for the future of digital security in the EU.

defraudbah: which smartwatch was that?the source linked in the article is dead, and I only see that AI slop comment here-- MyFirst Fone R1, singaporefunny that it's called my first, find my first upon your device, haha

pavel_lishin: https://kth.diva-portal.org/smash/record.jsf?pid=diva2%3A203...> In this thesis, welldocumented grey-box ethical hacking is conducted of the network service and firmware attack surfaces of the children’s smartwatch myFirst Fone R1s.

john_strinlai: presumably, "CRA" in this comment stands for "Cyber Resilience Act" (https://digital-strategy.ec.europa.eu/en/policies/cyber-resi...)

j45: Someone really needs to make a watch for kids sans touchscreen but with enough features for parents.

perching_aix: I keep reading about how IoT / wearables / smart home devices are routinely both vulnerable and exploited, if not even come with malware preinstalled, so I was curious to finally go through a primary source like this.After skimming through the attacks performed in this research, and checking every mention of the word "internet", all I got was a section with a hypothetical scenario where the watch has a publicly reachable IPv4 address. Suffice to say, that is really quite unlikely, certainly in my experience at least.It did also talk about bundled malware, so I guess that's bad enough, but is all IoT research like this? Always sounded to me like you kinda need to already have a foot in the door for these, and this paper didn't dispel that notion for me at all.

pixl97: "You're safe as long as every device on the network you're on is safe" isn't safe.In theory I should be able to take a modern browser/device over a completely compromised router and either be safe, or have my device tell me "holy shit, something is wrong".The days of local trust should be long gone by now.

wnevets: > Suffice to say, that is really quite unlikely, certainly in my experience at least.Why is that? Are the cellular carriers blocking access?

nickthenerd: The source site/paper won't load for me at this time, but if the device has a cellular modem in it for network connectivity, it will 100% be assigned an IPv4 address from the carrier. Unless this device is using an APN at the carrier level, or is using a SIM provider that provides some additional security.

parliament32: > a hypothetical scenario where the watch has a publicly reachable IPv4 addressOr one of your other IoT / smart home devices / malware on your PC is doing local network reconnaissance? Connecting this device to a public wifi? Or just a bad neighbour who hijacks your SSID? This smells of "I'm secure because I'm behind a NAT" which conveniently ignores the couple dozen other paths an adversary could take.