Lenovo’s Watch X was broadly panned as “completely horrible.” Because it seems, so was its safety.
The low-end $50 smartwatch was one in all Lenovo’s most cost-effective smartwatches. Out there just for the China market, anybody who needs one has to purchase one straight from the mainland. Fortunate for Erez Yalon, head of safety analysis at Checkmarx, an software safety testing firm, he was given one from a pal. But it surely didn’t take him lengthy to search out a number of vulnerabilities that allowed him to alter person’s passwords, hijack accounts and spoof telephone calls.
As a result of the smartwatch wasn’t utilizing any encryption to ship knowledge from the app to the server, Yalon mentioned he was in a position to see his registered e-mail deal with and password despatched in plain textual content, in addition to knowledge about how he was utilizing the watch, like what number of steps he was taking.
“All the API was unencrypted,” mentioned Yalon in an e-mail to TechCrunch. “All knowledge was transferred in plain-text.”
The API that helps energy the watch was simply abused, he discovered, permitting him to reset anybody’s password just by understanding an individual’s username. That would’ve given him entry to anybody’s account, he mentioned.
Not solely that, he discovered that the watch was sharing his exact geolocation with a server in China. Given the watch’s exclusivity to China, it may not be a purple flag to natives. However Yalon mentioned the watch had “already pinpointed my location” earlier than he had even registered his account.
Yalon’s analysis wasn’t simply restricted to the leaky API. He discovered that the Bluetooth-enabled smartwatch is also manipulated from close by, by sending crafted Bluetooth requests. Utilizing a small script, he demonstrated how straightforward it was to spoof a telephone name on the watch.
Utilizing an identical malicious Bluetooth command, he might additionally set the alarm to go off — repeatedly. “The operate permits including a number of alarms, as typically as each minute,” he mentioned.
Lenovo didn’t have a lot to say in regards to the vulnerabilities, in addition to confirming their existence.
“The Watch X was designed for the China market and is simply accessible from Lenovo to restricted gross sales channels in China,” mentioned spokesperson Andrew Barron. “Our [security team] workforce has been working with the [original device manufacturer] that makes the watch to handle the vulnerabilities recognized by a researcher and all fixes are because of be accomplished this week.”
Yalon mentioned that encrypting the site visitors between the watch, the Android app and its internet server would forestall snooping and assist cut back manipulation.
“Fixing the API permissions eliminates the power of malicious customers to ship instructions to the watch, spoof calls, and set alarms,” he mentioned.