CVE-2024-36554 – This vulnerability in Forever KidsWatch smartwa... (How to Fix)

Q: What is the severity of CVE-2024-36554?

CVE-2024-36554 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Forever KidsWatch smartwatches allows attackers to remotely extract sensitive device information by sending specially crafted SMS messages. The flaw affects Forever KidsWatch Call Me KW-50 and KW-60 models, potentially exposing children's location data and device identifiers to malicious actors.

📋 TL;DR

This vulnerability in Forever KidsWatch smartwatches allows attackers to remotely extract sensitive device information by sending specially crafted SMS messages. The flaw affects Forever KidsWatch Call Me KW-50 and KW-60 models, potentially exposing children's location data and device identifiers to malicious actors.

💻 Affected Systems

Products:

Forever KidsWatch Call Me KW-50
Forever KidsWatch Call Me KW-60

Versions: R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b

Operating Systems: Embedded smartwatch firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Devices are vulnerable out-of-the-box with standard configurations. The vulnerability affects both older (2019) and newer (2023) firmware versions.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could track children's real-time locations, access personal device information, and potentially use this data for physical stalking or social engineering attacks against families.

🟠

Likely Case

Malicious users harvest device identifiers and location data for surveillance or to enable further attacks against the smartwatch ecosystem.

🟢

If Mitigated

With proper SMS filtering and network segmentation, the attack surface is reduced but not eliminated since SMS is a core device function.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only SMS capability and knowledge of the target phone number. The research paper demonstrates practical exploitation techniques.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Contact Forever KidsWatch vendor for firmware updates if they become available.

🔧 Temporary Workarounds

Disable SMS functionality

all

Remove or disable the SIM card from the smartwatch to prevent SMS-based attacks

Implement SMS filtering

all

Configure mobile carrier to block SMS from unknown numbers or implement parental controls

🧯 If You Can't Patch

Immediately discontinue use of affected smartwatches for children's safety
Replace vulnerable devices with models from vendors with better security track records

🔍 How to Verify

Check if Vulnerable:

Send a test SMS to the device from an unknown number and check if it responds with device information. Note: This test could expose sensitive data.

Check Version:

Check device firmware version in smartwatch settings menu or companion app

Verify Fix Applied:

Test if SMS responses containing device information are no longer returned after implementing workarounds.

📡 Detection & Monitoring

Log Indicators:

Unusual SMS activity logs on device
Multiple SMS responses to unknown numbers

Network Indicators:

SMS traffic to smartwatch from suspicious numbers
Unexpected SMS responses containing device metadata

SIEM Query:

sms.source NOT IN (trusted_numbers) AND sms.destination IN (smartwatch_numbers)

📊 Metadata

CVE ID: CVE-2024-36554

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-497

EPSS Score: 0.24% exploit probability (46.2th percentile)

Published: February 6, 2025

Last Updated: February 10, 2025

🔗 References

https://www.diva-portal.org/smash/record.jsf?aq2=%5B%5B%5D%5D&c=1&af=%5B%5D&searchType=SIMPLE&sortOrder2=title_sort_asc&query=Exploiting+Vulnerabilities+to+Remotely+Hijack+Children%E2%80%99s+Smartwatches&language=en&pid=diva2%3A1933447&aq=%5B%5B%5D%5D&sf=undergraduate&aqe=%5B%5D&sortOrder=author_sort_asc&onlyFullText=false&noOfRows=50&dswid=-8296

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36554, you might also want to check these: