Xplora has built a strong reputation as one of the biggest names in kids’ smartwatches, promoting high security standards and a “transparent” approach to protecting families. In Norway, these watches have become especially common, with reports suggesting that nearly one in five children aged 4 to 10 wears one. But new findings from researchers in Germany paint a far less reassuring picture, raising serious questions about how safe these child-focused wearables really are.
The concerns come from an investigation at TU Darmstadt, where a master’s student, Malte Vu, analyzed a current Xplora smartwatch under the supervision of Nils Rollshausen. What stands out immediately is how quickly the researchers say they got in. Within just a few days, they were able to enable the watch’s PIN-protected developer mode and extract the software. Vu reportedly brute-forced the developer PIN manually in only a few hours, showing that the initial barrier to deeper access wasn’t as strong as many parents might assume.
Once inside, the researchers say they discovered a much bigger issue than a weak PIN: a fundamental cryptographic flaw. According to their analysis, the watch model they examined uses a general cryptographic key that is identical across all devices of the same type. In practical terms, that kind of shared “universal key” can turn a single successful compromise into a repeatable method that applies to an entire product line.
Why does that matter? Because the researchers say that with this universal key, an attacker would only need the watch’s IMEI number to gain deep access to data. An IMEI is a 15-digit identifier used by mobile-connected devices. The first eight digits are tied to the model, while the following digits form a serial number, plus a final check digit. Rollshausen explained that if someone can predict or scan across a manufacturer’s IMEI range, it could potentially be automated at scale.
The potential consequences described by the researchers are alarming, especially given that these are devices designed for children. With broad access, an attacker could theoretically read private chats, intercept images and voice notes, and even tamper with location information. The researchers also indicated it may be possible to send fake messages to the parent app as if they came from the child—opening the door to misinformation, manipulation, and serious privacy risks. If communication channels can be abused in both directions, families could be exposed not only to data theft but also to targeted social engineering attempts.
The timeline of the company’s response is also part of the story. The researchers said Xplora was informed about the vulnerabilities in May 2025, but meaningful progress appeared slow. An update released in August reportedly focused on raising the developer PIN length to six digits and limiting failed attempts—steps that may reduce casual tampering, but do not address the deeper issue of a shared cryptographic key. The researchers say the universal key remained unchanged.
By October, the researchers reported that the manufacturer stopped responding to inquiries, leading them to involve Germany’s Federal Office for Information Security. Another update later in October also reportedly did not resolve the core problem, and the researchers claimed that only minor adjustments were needed to regain full access.
Xplora has since announced a more comprehensive security update targeted for January 2026. Based on late-December 2025 phone calls, Rollshausen expressed hope that a proper fix is coming. For parents using these watches, it’s recommended to install the January 2026 update immediately when it becomes available, especially given the seriousness of the access described by the researchers.
To underline what’s possible when software choices change, Rollshausen also demonstrated an alternative approach as a technical experiment by installing the secure messenger Signal directly on the watch. The point wasn’t that every family should modify a child’s smartwatch, but rather that the current situation forces parents into an uncomfortable choice: rely on the manufacturer’s promised security, or seek an independent, more proven communication method where possible.
For families considering a kids’ smartwatch—or already relying on one for messaging and location sharing—this report is a reminder to treat security claims carefully. Watch for official software updates, apply them quickly, and review what data the watch can access and transmit. When children’s privacy and safety are on the line, strong encryption, unique device security keys, and fast vulnerability response times aren’t “nice-to-haves”—they’re essential.
