 |
| Security researchers have cracked Xplora smartwatches |
A stark investigation reveals that Xplora, a market leader in children's smartwatches, has been shipping devices with a fundamental security vulnerability, leaving private data and location of thousands of children exposed.
For years, parents have turned to smartwatches like those from Norwegian company Xplora for peace of mind. Marketed with aggressive promises of the highest security standards and transparency, these devices have become a staple. In Norway alone, nearly every fifth child aged 4 to 10 wears one. But behind this facade of safety, a grim reality has been uncovered by cybersecurity researchers at Germany’s prestigious TU Darmstadt, revealing flaws that could allow strangers to track, message, and listen to children.
A Master's Thesis Uncovers a Market-Wide Failure
The alarming discovery began not in a corporate security lab, but as part of a Master's thesis by student Malte Vu, under the supervision of researcher Nils Rollshausen. Their target was a current Xplora watch model. The time to first breach was shockingly low.
“Within a few days, we managed to activate the watch’s PIN-protected developer mode and extract the software,” explained Rollshausen. “Malte manually cracked the required PIN code in just a few hours.” This initial breach was just the gateway. The subsequent analysis revealed a catastrophic oversight: the researchers found a general cryptographic key that is identical on every device of the same model type. This universal key acts as a master pass, undermining the entire security architecture.
For more details on the academic research that sparked this investigation, you can read the official release from TU Darmstadt here.
The IMEI Number: All an Attacker Needs
This universal key grants deep, unauthorized access to a watch’s data. The only piece of information an attacker requires? The watch’s IMEI number—the standard 15-digit identification number found on all mobile devices.
Rollshausen, presenting the findings at the recent 39th Chaos Communication Congress (39C3), illustrated how simple it would be to automate an attack. “Since the first digits of the IMEI are identical for a model range, a program could theoretically scan the entire manufacturer’s number range and access data from all watches in circulation,” he demonstrated.
The consequences are terrifying:
- Reading private chats between children and their parents.
- Intercepting images and voice notes.
- Manipulating and tracking the child’s location in real-time.
- Sending fake messages to the parent's app, impersonating the child.
- Establishing two-way communication without the family's knowledge.
You can watch the full technical presentation from the Chaos Communication Congress, where the exploit was publicly detailed, via this link.
A Slow and Insufficient Response from Xplora
Perhaps most concerning is the manufacturer's reaction timeline. Xplora was informed of these critical vulnerabilities in May 2025. The first remedial update only arrived in August, which merely increased the developer mode PIN length and limited login attempts—a move the researchers saw as an attempt to lock them out, rather than fix the core issue.
The universal key flaw remained completely untouched. After Xplora stopped responding to researchers' follow-up inquiries by October, the team was forced to involve Germany’s Federal Office for Information Security (BSI).
A subsequent update at the end of October 2025 also failed to patch the vulnerability, with researchers noting that minor adjustments to their exploit were enough to regain full control.
A Promise of a Fix—And a Stark Workaround
Following renewed pressure and several phone calls in late December 2025, Xplora has now announced a comprehensive security update scheduled for January 2026. Rollshausen cautiously expects a proper solution this time. Security experts strongly urge all Xplora parents to install this update immediately upon its release.
In a striking demonstration of the platform's inherent insecurity, Rollshausen conducted a technical experiment: he successfully installed the secure, end-to-end encrypted messenger Signal directly onto the compromised Xplora watch. This workaround highlights the desperate choice parents face: trust the manufacturer's soon-to-be-updated system or manually seek out alternative, secure communication channels for their children's devices.
Xplora markets itself as a guardian of children's digital safety. For thousands of families, the wait for a genuine fix has been perilously long. The January 2026 update will be a critical test of whether the company can truly live up to its promises.
For information on Xplora watches and official updates, visit the manufacturer's website.