CVE CyberSecurity Database News

CVE-2024-36558 - Cleartext Transmission of Sensitive Information in Forever KidsWatch Call Me KW-50

Poster -

In June 2024, a new vulnerability, CVE-2024-36558, was found in the Forever KidsWatch Call Me KW-50 (Firmware: R36_YDR_A3PW_GM7S_V1._2019_07_15_16.19.24_cob_h). This security flaw allows anyone on the same network or with access to the device’s communication channels to snoop on private information sent to and from the smart watch. This happens because the device does not use encryption when talking to its server.

In this article, we will break down the vulnerability, show how the communication can be captured, and explain what attackers can do with the leaked data. We’ll also provide references for those who want to go deeper.

What is Forever KidsWatch Call Me KW-50?

Forever KidsWatch Call Me KW-50 is a smartwatch designed for children. It offers real-time location tracking, two-way calls, and an SOS button. Parents use a mobile app to track and manage the device. This type of smartwatch is marketed for keeping kids safe—but ironically, it can put your child’s data at risk.

The Vulnerability (CVE-2024-36558)

CVE-2024-36558 refers to the lack of encryption (cleartext transmission) in the KW-50 firmware. All messages between the device and the company’s servers travel over the Internet without encryption (no HTTPS, no TLS, not even simple obfuscation).

What Does This Mean?

1. Anyone with access to the network (like public Wi-Fi or a compromised home router) can see everything the watch sends and receives.

Sniffing the Cleartext—A Practical Example

Let’s say a parent configures the KW-50. The watch sends its GPS data and maybe a call log to the Forever KidsWatch server. Here’s how an attacker can capture that with Wireshark:

On the same Wi-Fi as the watch, in a terminal

sudo wireshark

Apply a filter to capture only traffic from the watch’s MAC or IP address. Watch data in real-time.

Inside Wireshark, filter for plaintext protocols

http

Example of Intercepted Cleartext HTTP Payload

POST /upload/data HTTP/1.1
Host: api.foreverkidswatch.com
Content-Type: application/json

{
  "imei": "357123456789012",
  "timestamp": "2024-06-15T20:35:21Z",
  "lat": "37.4219983",
  "lon": "-122.084",
  "phone": "15551234567",
  "message": "SOS triggered"
}

Attacker captures, reads, and possibly sells or abuses this data.

Attackers might even manipulate the traffic or intercept voice calls, depending on how the firmware communicates.
This attack does not require advanced tools—only basic networking knowledge.

Leakage of phone numbers and potential eavesdropping

This flaw is especially serious because children are the main users.

References

- Original CVE-2024-36558 at NIST *(pending publication)*
- OWASP: Cleartext Transmission of Sensitive Information
- How to capture HTTP traffic with Wireshark

Conclusion

CVE-2024-36558 in Forever KidsWatch Call Me KW-50 is a textbook example of how skipping encryption can seriously endanger user privacy—in this case, children. Until a patch is released, these watches should be unplugged or replaced with models using secure communication.

If you want your child’s data to stay private, use only devices that communicate with servers over HTTPS and other secure protocols.


*Stay safe. Protect your privacy—and your child’s.*

Timeline

Published on: 02/06/2025 18:15:31 UTC
Last modified on: 03/19/2025 15:15:47 UTC