#WatchOut: EU aiming to strengthen security of GPS watches

The European Commission has taken initiative to expand the EU’s Radio Equipment Directive and adopt a new regulation that includes security requirements for IoT products. The proposal directly points to the findings from the Norwegian Consumer Council and mnemonic’s joint project #WatchOut.

In the fall of 2017, mnemonic performed technical security assessments of GPS watches marketed towards parents and their children, on behalf of the Norwegian Consumer Council.

The tests discovered significant security flaws in the devices tested, which could lead to information about children’s location and activities ending up in the wrong hands. The flaws were not technically difficult to exploit, and could allow a third party to covertly take control over the watch and use it to track, listen to, or even speak with the child.


Initiative to strengthen the Radio Equipment Directive

In its new initiative, the European Commission has suggested new amendments aimed at strengthening requirements for cybersecurity and privacy for Internet-connected devices and wearables. The existing Radio Equipment Directive (RED) provides a common regulatory framework and sets requirements for equipment containing radio transmitters, and is applicable to most smart devices using Wifi or GSM for communications.

In their initiative, the European Commission refers directly to the findings from the Norwegian Consumer Council and mnemonic about GPS watches for children from the #WatchOut project in 2017, as well as the Norwegian Consumer Council’s findings regarding smart toys in 2016.

The proposal is currently undergoing an initial impact assessment, which will close for comments on March 4th 2019. The next step will be a public consultation period during the second quarter of 2019, which may subsequently lead to a draft act and adoption into the directive, currently scheduled towards the end of 2019.


Warns against GPS watches

Along with the suggested amendments to the Radio Equipment Directive, the EU has for the first time sent out a rapid alert (RAPEX) for an IoT product, based on security vulnerabilities leading to a privacy risk. The alert is an EU-wide warning about the vulnerabilities in the GPS watch ENOX, which has been reported by the Icelandic government. The vulnerabilities are similar to those found by the #WatchOut project.

"The EU is showing willingness to tackle a problem that the security industry has long pointed to - millions of Internet-connected gadgets, coupled with weak security culture among manufacturers, in an unregulated market”, says Tor Erling Bjørstad, Team Leader, Technical Risk Services in mnemonic. “It’s a positive development that there is political will to make demands on what can be sold to consumers".


Download the Norwegian Consumer Council's analysis of smartwatches for children and mnemonic's technical report describing our main findings here.