Lenovo’s Watch X was broadly panned as “completely horrible.” Because it seems, so was its safety.
The low-end $50 smartwatch was one in all Lenovo’s least expensive smartwatches. Out there just for the China market, anybody who needs one has to purchase one immediately from the mainland. Fortunate for Erez Yalon, head of safety analysis at Checkmarx, an software safety testing firm, he was given one from a good friend. Nevertheless it didn’t take him lengthy to search out a number of vulnerabilities that allowed him to alter consumer’s passwords, hijack accounts and spoof cellphone calls.
As a result of the smartwatch wasn’t utilizing any encryption to ship information from the app to the server, Yalon mentioned he was capable of see his registered electronic mail handle and password despatched in plain textual content, in addition to information about how he was utilizing the watch, like what number of steps he was taking.
“Your entire API was unencrypted,” mentioned Yalon in an electronic mail to TechCrunch. “All information was transferred in plain-text.”
The API that helps energy the watch was simply abused, he discovered, permitting him to reset anybody’s password just by figuring out an individual’s username. That might’ve given him entry to anybody’s account, he mentioned.
Not solely that, he discovered that the watch was sharing his exact geolocation with a server in China. Given the watch’s exclusivity to China, it may not be a crimson flag to natives. However Yalon mentioned the watch had “already pinpointed my location” earlier than he had even registered his account.
Yalon’s analysis wasn’t simply restricted to the leaky API. He discovered that the Bluetooth-enabled smartwatch may be manipulated from close by, by sending crafted Bluetooth requests. Utilizing a small script, he demonstrated how straightforward it was to spoof a cellphone name on the watch.
Utilizing the same malicious Bluetooth command, he might additionally set the alarm to go off — repeatedly. “The perform permits including a number of alarms, as usually as each minute,” he mentioned.
Lenovo didn’t have a lot to say concerning the vulnerabilities, in addition to confirming their existence.
“The Watch X was designed for the China market and is just out there from Lenovo to restricted gross sales channels in China,” mentioned spokesperson Andrew Barron. “Our [security team] workforce has been working with the [original device manufacturer] that makes the watch to deal with the vulnerabilities recognized by a researcher and all fixes are resulting from be accomplished this week.”
Yalon mentioned that encrypting the site visitors between the watch, the Android app and its internet server would stop snooping and assist cut back manipulation.
“Fixing the API permissions eliminates the flexibility of malicious customers to ship instructions to the watch, spoof calls, and set alarms,” he mentioned.