MyFirst Kids Smartwatch Exposes Camera, Microphone Access Via Unauthenticated Remote Exploit
Swedish security researcher demonstrates critical vulnerabilities in children's wearable allowing remote surveillance—latest in systemic failure pattern across IoT kids market
A Swedish security researcher has exposed critical security vulnerabilities in the MyFirst Fone R1s kids smartwatch that allow remote unauthenticated access to the device’s camera and microphone, demonstrating how a product marketed to protect children instead exposes them to potential surveillance.
The device, identified in Swedish media as the MyFirst Fone R1s by MyFirst, exposed an insecure network service directly to the internet, according to Hacker News discussions of the researcher’s thesis published in March 2026. The disclosure adds to a documented pattern of systemic security failures in the children’s IoT market, where devices designed to give parents peace of mind instead create new attack surfaces.
Surveillance by Design Flaw
The MyFirst Fone R1s, which retails for approximately $269 and features 4G LTE connectivity, GPS tracking, video calling, and heart rate monitoring, markets itself as an all-in-one safety device for children aged 6-12. But the Swedish researcher’s findings reveal that the very features intended for parental oversight—the built-in camera and microphone—can be hijacked by unauthorized parties.
The vulnerability follows a troubling industry pattern. The Norwegian Consumer Council has uncovered serious security and privacy flaws in smartwatches for children. Strangers can easily seize control of the watches and use them to track and eavesdrop on children, according to a 2017 Norwegian Consumer Council report that tested multiple brands.
A newly-discovered cloud vulnerability allows third parties to access these watches without any particular hacking skills, and at least 47 million devices are thought to be compromised. Security researchers with Pen Test Partners discovered that each device connected to the cloud platform can be accessed with nothing more than the device’s unique identification number, as reported by CPO Magazine in a 2020 investigation of Thinkrace-platform devices.
Regulatory Exposure and GDPR Violations
The MyFirst vulnerability directly violates EU data protection regulations designed to safeguard children. In September 2022, Instagram faced a hefty fine from the Irish Data Protection Commission (DPC) for violating GDPR, particularly concerning children’s privacy online. The investigation revealed that Instagram’s user registration system defaulted child accounts to a “public” setting unless manually changed to “private.” This practice violated GDPR’s privacy by design principles and provisions to safeguard children’s personal information, according to WP Legal Pages. Instagram’s €405 million fine demonstrates regulatory appetite for enforcement.
Under Article 83 of the GDPR, violations involving children’s data can trigger fines up to €20 million or 4% of global annual turnover, whichever is higher. The regulation specifically requires enhanced protections for children under 16, including explicit consent mechanisms, data minimization, and security by design.
TikTok is facing a substantial fine of €345 million due to violations of GDPR, with a specific focus on its handling of children’s accounts. The Irish Data Protection Commission (DPC) concluded its investigation in September 2023, examining TikTok’s data practices between July 31 and December 31, 2020, particularly concerning young users, as reported by Data Privacy Manager.
MyFirst, a Singapore-based company owned by Oaxis Asia and founded in 2010, markets multiple smartwatch models across global markets including North America, Europe, and Asia-Pacific regions. The R1s model uses physical nano SIM cards and relies on both cellular networks and WiFi connectivity for its GPS tracking and communication features.
Industry-Wide Problem
In this paper, we analyzed six smartwatches for children and the corresponding backend platforms and applications for security and privacy concerns. Using a cellular network Man-in-the-Middle setup, reverse engineering, and dynamic analysis, we found several severe security issues, allowing for sensitive data disclosure, complete watch takeover, and illegal remote monitoring functionality, according to research published in the Proceedings of the 15th International Conference on Availability, Reliability and Security.
- Unauthenticated API access allowing device takeover
- Unencrypted data transmission exposing GPS location and communications
- Default passwords (commonly ‘123456’) unchanged by users
- Insecure cloud platforms with sequential device IDs
- Lack of proper authentication for pairing and configuration
- Public-by-default account settings for child users
The SMA-WATCH-M2 of the Chinese manufacturer SMA allows attackers to track over 5,000 children around the world due to serious security vulnerabilities. The much-sold children’s watch from a manufacturer in Shenzhen reveals potential attackers the exact position data of more than 5,000 children around the globe, according to AV-TEST Institute research from 2019.
A notable example includes Germany’s ban on certain children’s smartwatches, which were found to function as covert listening tools, violating both child protection laws and parental trust, notes a 2025 PMC study on wearable data policies.
Commercial Incentives vs Security
Insufficient or ineffective oversight of the production of these devices may allow the release of insecure products that prioritise usability over security. Understandably, this threat is of particular concern in the case of wearables for minors, according to research in Wireless Networks.
The children’s smartwatch market has exploded in recent years, driven by parental anxiety about child safety and the desire for communication tools that don’t require giving children full smartphones. MyFirst alone has produced over a dozen products since launching its first kids smartwatch in 2016, including cameras, drawing pads, drones, and audio headphones.
Despite being discovered in low-end kids’ models, many other cheaper smartwatches may have similar vulnerabilities. This is because cheaper manufacturers usually don’t have much regard for safety over user-friendliness when putting an entry-level product together, warns Kaspersky.
| Year | Device/Platform | Vulnerability | Affected Users |
|---|---|---|---|
| 2017 | Gator 2, Xplora | Unauthenticated device takeover | Unknown |
| 2019 | SMA-WATCH-M2 | Unencrypted API, no authentication | 5,000+ |
| 2020 | Thinkrace platform | Sequential device IDs, weak passwords | 47-150 million |
| 2026 | MyFirst Fone R1s | Remote camera/mic access | Unknown |
What to Watch
The Swedish disclosure will likely trigger regulatory scrutiny from EU data protection authorities, particularly Ireland’s DPC which has jurisdiction over many tech companies with European headquarters in Dublin. MyFirst’s global distribution network across North America, Europe, and Asia-Pacific means potential enforcement actions could span multiple jurisdictions.
Parents currently using MyFirst devices should disable WiFi connectivity where possible and restrict device permissions through the myFirst Circle companion app until the company issues security patches. The company has not yet publicly responded to the vulnerability disclosure or provided a timeline for remediation.
The incident underscores broader questions about certification standards for children’s IoT devices. Unlike medical devices or automotive systems, consumer IoT products face minimal mandatory security testing before market release. Industry observers expect the EU’s forthcoming Cyber Resilience Act, which requires IoT devices to be “cybersecure by design and by default,” to close regulatory gaps—though the legislation allows manufacturers to self-certify rather than requiring third-party security audits.
For the children’s smartwatch sector, the pattern is clear: devices marketed as safety tools have become surveillance liabilities, and regulatory enforcement remains the only mechanism forcing manufacturers to prioritize security over speed-to-market.