Lenovo’s Watch X was extensively panned as “absolutely terrible.” Because it seems, so was its safety.
The low-end $50 sensible watch was considered one of Lenovo’s most cost-effective sensible watches. Out there just for the China market, anybody who desires one has to purchase one immediately from the mainland. Fortunate for Erez Yalon, head of safety analysis at Checkmarx, an utility safety testing firm, he was given one from a pal. However it didn’t take him lengthy to search out a number of vulnerabilities that allowed him to vary person’s passwords, hijack accounts, and spoof cellphone calls.
As a result of the sensible watch wasn’t utilizing any encryption to ship knowledge from the app to the server, Yalon stated he was capable of see his registered e mail handle and password despatched in plain textual content, in addition to knowledge about how he was utilizing the watch, like what number of steps he was taking.
“The entire API was unencrypted,” stated Yalon in an e mail to TechCrunch. “All data was transferred in plain-text.”
The API that helps energy the watch was simply abused, he discovered, permitting him to reset anybody’s password just by realizing an individual’s username. That might’ve given him entry to anybody’s account, he stated.
Not solely that, he discovered that the watch was sharing his exact geolocation with a server in China. Given the watch’s exclusivity to China, it may not be a crimson flag to natives. However Yalon stated the watch had “already pinpointed my location” earlier than he had even registered his account.
Yalon’s analysis wasn’t simply restricted to the leaky API. He discovered that the Bluetooth-enabled sensible watch may be manipulated from close by, by sending crafted Bluetooth requests. Utilizing a small script, he demonstrated how simple it was to spoof a cellphone name on the watch.
Utilizing an identical malicious Bluetooth command, he might additionally set the alarm to go off — repeatedly. “The function allows adding multiple alarms, as often as every minute,” he stated.
Lenovo didn’t have a lot to say concerning the vulnerabilities, moreover confirming their existence.
“The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,” stated spokesperson Andrew Barron. “Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”
Yalon stated that encrypting the visitors between the watch, the Android app, and its internet server would forestall snooping and assist scale back manipulation.
“Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,” he stated.