Same key for all units: Security researchers have hacked Xplora smartwatches

Xplora is considered a market leader in smartwatches for kids. The Norwegian company aggressively advertises the highest security standards and transparency. In Norway, almost every fifth child between 4 and 10 years old wears such a device. However, the reality behind the marketing facade looks pretty grim, as evidenced by investigations from the German university TU Darmstadt.

Master's student cracks market leader

As part of his Master's thesis, Malte Vu has examined a current Xplora watch under the supervision of Nils Rollshausen. The time required for the first breach was shockingly low. Within a few days, they managed to activate the watch's PIN-protected developer mode and extract the software. Malte Vu manually cracked the required PIN code in just a few hours time.

The subsequent analysis revealed a fundamental security flaw, as the researchers found a general cryptographic key that is identical on all devices of the same type.

Mass access via IMEI

This universal key allows for deep data access. Attackers only need the IMEI number of the watch in question, which is a 15-digit identification number. The first 8 digits are identical for all units of a specific model, those are followed by a 6-digit serial number and a single check number at the end.

In his presentation at 39C3, Rollshausen has illustrated how simple an automated scan of a manufacturer's entire IMEI range could be. Such a program could theoretically read the data of the entire inventory of watches. The consequences are huge, as strangers can read private chats, intercept images and voice notes or even manipulate the location. It’s even possible to send fake messages to the parent app in the name of the child. Communication channels would also be open in both directions.

Hesitant reactions and updates without improvement

Although Xplora was informed about these vulnerabilities as early as May 2025, taking the appropriate measures took a long time. An initial update in August simply increased the PIN length to 6 digits and limited the number of failed attempts. It appears the manufacturer was trying to keep researchers and hackers from accessing developer mode.

The actual security flaw, namely the universal key, remained in place. Since the manufacturer stopped responding to inquiries in October, the researchers involved Germany’s Federal Office for Information Security.

Some hope for January 2026

Another update at the end of October also provided no fix, and small changes to the exploit were enough to regain full access. Xplora has now announced a comprehensive security update for January 2026. It’s strongly recommended to install this update immediately upon release. Following several phone calls with the manufacturer in late December 2025, Rollshausen expects a proper solution.

As a technical experiment, Rollshausen further showed an alternative solution. He installed the secure messenger Signal directly on the watch. This illustrates the core problem, parents currently have to decide whether to trust the manufacturer's advertised security or manually choose another protected communication channel.