These kids’ headphones know way more about you than you’d expect.
A security researcher’s unsettling discovery inside Kekz’s headphones for kids reveals far more than advertised. What seemed to be offline, safe listening devices turned out to contain hidden tracking features, all without any user disclosure.
Marketing Claims vs. Reality
Kekz promotes itself as a game-changer in the kids’ headphones market.
Their marketing makes several key promises to parents.
- First, the headphones work without WiFi or cellular connections. Parents are assured this independence creates a safer listening experience for kids.
- Second, they offer a completely private listening experience. This is thanks to their “triple encryption” feature, which supposedly blocks any unauthorized access to the device.
Plus, German celebrity investor Peter Maffay’s support of the startup made parents trust Kekz as a company that cares about privacy even more.
All these, and their colorful and durable design, make the headphones perfect for safety-conscious parents… at least on paper.
But as the researcher discovered, these reassuring claims don’t match what’s actually inside these headphones.
Kekz headphones’ hidden architecture tells a different story.
When reverse engineering the headphones, the researcher discovered that the device contained a specialized Jieli AC21BP0H733-51C8 chip and an SD Card for offline listening.
But, these parts apparently do more than meets the eye.
For example, the 32 GB SD card that originally stored 276 folders increased to 369 after a software update. Each folder contained encrypted .kez files that need specific decryption keys to unlock.
And, when the SD card is connected to the official Windows app, the files are automatically ‘hidden’, making them invisible to users.
Privacy Concerns Discovered
When users connect Kekz headphones to the accompanying Windows application, hidden data uploads begin.
Despite being marketed as entirely offline devices, the application secretly collects several types of user data.
First, it tracks how people use the headphones.
The program records device IDs and unique device GUIDs, making a detailed list of when and how people use the headphones.
It also watches all audio content through ID3 tags in MP3 files, recording both Kekz’s official content and any user-made audio that plays. This creates a big record of listening habits without the users’ knowledge.
Second, it tracks the users’ locations.
Using Windows’ location services, the application gathers geolocation data through WiFi triangulation. This lets Kekz track where people use the headphones without telling users or getting permission.
It isn’t directly linked to content playback. But, it still provides a detailed map of movement and usage patterns that contradicts the company’s privacy promises.
Worse, all this collected data (usage records, content tracking, and location information) gets transmitted to an Azure Cosmos database.
That’s especially worrying since the database is known to have huge vulnerabilities.
Its connection strings are exposed, leaving it unprotected. This means sensitive user data remains accessible to anyone familiar with the system’s weaknesses.
In short, someone could potentially:
- Track a child’s daily routines by seeing when and where they use the headphones.
- Know which locations a child frequently visits, like their school or home.
- Build patterns of a family’s schedule based on device usage times.
- Determine what content a child listens to and when to know how to attract or manipulate them.
- Identify periods when a house might be empty based on usage patterns.
A Pattern of Privacy Negligence
The researcher’s efforts to address these privacy concerns hit a wall of silence from Kekz.
The new policy vaguely mentioned app data collection. But, didn’t fix the huge security problems, leaving the main issues unsolved.
Meanwhile, Kekz keeps selling these headphones as secure, offline devices without telling customers about these findings. The data collection and tracking continue, and the security weaknesses remain exposed.
But this means more than just one company’s failures.
This case shows the dangers hiding in “smart” devices made for children.
Without proper disclosures, parents can’t make good choices about their children’s privacy. And, if no one challenges what Kekz does, other companies might copy them, possibly turning children’s tech products into hidden surveillance tools.