Key Takeaways
1. Xplora is recognized as a top brand in kids’ smartwatches, but security issues have been uncovered by researchers.
2. A study revealed that Xplora smartwatches can be breached quickly, with a common cryptographic key shared among devices.
3. Hackers can easily access personal data, including private messages and location information, using the watch’s IMEI number.
4. Xplora delayed necessary security updates, with only minor changes made despite being notified of the vulnerabilities.
5. Parents face a dilemma between trusting Xplora’s security claims and using alternative secure communication methods for their children.
Xplora has been recognized as a top player in the kids’ smartwatch industry. The Norwegian brand promotes its commitment to high security and transparency. In Norway, nearly one in five children aged 4 to 10 sport such a device. However, investigations from TU Darmstadt, a German university, reveal a much darker truth behind the marketing claims.
Security Breach Findings
In a Master’s thesis, Malte Vu studied a current Xplora smartwatch under Nils Rollshausen’s guidance. The time taken to breach the device’s security was alarmingly short. Within days, they activated the PIN-protected developer mode and extracted the software. Malte Vu was able to crack the necessary PIN code in just a few hours.
The analysis afterwards uncovered a serious security issue, as the researchers discovered that all similar devices share a common cryptographic key.
Universal Key Risks
This shared key grants extensive data access. Hackers only need the watch’s IMEI number, a 15-digit identifier. The first 8 digits are the same for all units of a particular model, followed by a unique 6-digit serial number and a check digit at the end.
During his presentation at 39C3, Rollshausen demonstrated how easy it would be to conduct an automated scan across a manufacturer’s entire IMEI range. Such a tool could potentially access data from all watches in stock. The implications are significant; unauthorized individuals could read private messages, intercept images and voice notes, or even manipulate location data. They could also send fake messages to the parent app pretending to be the child, creating two-way communication channels.
Delays in Security Updates
Despite being notified of these issues in May 2025, Xplora took a considerable amount of time to implement necessary changes. The first update in August merely increased the PIN length to 6 digits and restricted the number of failed attempts. It seems the company aimed to prevent researchers and hackers from accessing developer mode.
However, the main security issue, the universal key, remained unaffected. After the manufacturer stopped responding to inquiries in October, the researchers involved reached out to Germany’s Federal Office for Information Security.
A subsequent update at the end of October also failed to address the problems, and minor adjustments to the exploit were sufficient to regain complete access. Xplora has now promised a comprehensive security update for January 2026. It’s highly recommended to install this update right after it becomes available. Following several discussions with the manufacturer in late December 2025, Rollshausen is hopeful for a genuine solution.
In a technical demonstration, Rollshausen also showed an alternative approach. He installed the secure messaging app Signal directly on the smartwatch. This highlights a critical issue: parents must currently choose between trusting the company’s claimed security or opting for a different secure communication method.
Source:
Link