Overview
- Researchers at TU Darmstadt’s SEEMOO Lab accessed an Xplora X6Play through the charging-pin debug interface and brute-forced a PIN to enable developer mode.
- Extracted static secrets let them impersonate watches to read and inject parent–child chats, falsify reported locations, and remotely reset devices.
- Because authentication relied on static firmware keys, a key from one watch could unlock all devices of the same model, which Xplora says totals over 1.5 million units.
- Xplora’s August and October firmware updates increased PIN length and added lockout but did not rotate credentials or resolve the core authentication weaknesses.
- After BSI involvement, Xplora engaged the researchers on December 22, said it has seen no evidence of data leakage and that the attack requires physical access, and promised a comprehensive fix in January 2026 with a revamped disclosure program.