CVE-2024-36558 - Forever KidsWatch Call Me KW-50 R36_YDR_A3PW_GM7S_V1._2019_07_15_16.19.24_cob_h Cleartext Transmission of Sensitive Information Vulnerability

Forever KidsWatch Call Me KW-50 (R36_YDR_A3PW_GM7S_V1._2019_07_15_16.19.24_cob_h) is a popular smartwatch designed for children. Unfortunately, this kid-friendly device has been found to have a critical vulnerability (CVE-2024-36558) that exposes sensitive user data due to a lack of encryption in communication between the device and its servers. This vulnerability could potentially allow attackers to intercept and exploit sensitive user information, including the child's location, personal details, and even voice recordings.

Exploit Details

This vulnerability is a result of the device's communication protocol not implementing Transport Layer Security (TLS) for communications between the KidsWatch device and its backend servers. Consequently, all communication takes place in cleartext, making it easy for attackers to intercept and read the transmitted data.

A simple Python code snippet demonstrates the problem

import socket

target_ip = "example.kidswatch.server"
target_port = 80

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target_ip, target_port))

request = "GET /api/v1/device/location HTTP/1.1\r\nHost: {}\r\n\r\n"
s.send(request.format(target_ip).encode())

response = s.recv(1024)
print("Received:\n{}".format(response.decode()))

In this code, we create a simple socket and connect to the target server responsible for handling location data of the KidsWatch device. We then send an unencrypted HTTP GET request to retrieve the device location. The response, which should ideally be encrypted, is received in cleartext, potentially exposing the sensitive data to attackers.

More information regarding the CVE-2024-36558 vulnerability can be found at the following links

1. Exploit Database - Exploit Database's entry for CVE-2024-36558.
2. CVE Details - In-depth details of the vulnerability.
3. Forever KidsWatch Official Website - Official website for the device, though it does not mention the vulnerability.

Mitigation Steps

Users of Forever KidsWatch Call Me KW-50 (R36_YDR_A3PW_GM7S_V1._2019_07_15_16.19.24_cob_h) should contact the manufacturer for a possible firmware update to address the issue of cleartext transmission of sensitive data. Here are a few steps that can be taken:

Temporarily disable any unsecured communication and services related to the device.

3. Educate children and parents to be cautious when using the function that might transmit sensitive information.

Conclusion

CVE-2024-36558 is a critical vulnerability affecting Forever KidsWatch Call Me KW-50 (R36_YDR_A3PW_GM7S_V1._2019_07_15_16.19.24_cob_h) users. This vulnerability allows attackers to intercept and potentially exploit sensitive user information. Parents should be cautious when using the device and follow appropriate mitigation steps to ensure the safety and privacy of their children. Manufacturers should prioritize implementing proper encryption methods, like TLS, to protect their users' data.

Timeline

Published on: 02/06/2025 18:15:31 UTC
Last modified on: 03/19/2025 15:15:47 UTC