Lenovo’s Watch X was broadly panned as “completely horrible.” Because it seems, so was its safety.
The low-end $50 sensible watch was certainly one of Lenovo’s least expensive sensible watches. Out there just for the China market, anybody who desires one has to purchase one immediately from the mainland. Fortunate for Erez Yalon, head of safety analysis at Checkmarx, an utility safety testing firm, he was given one from a good friend. However it didn’t take him lengthy to search out a number of vulnerabilities that allowed him to alter consumer’s passwords, hijack accounts, and spoof telephone calls.
As a result of the sensible watch wasn’t utilizing any encryption to ship knowledge from the app to the server, Yalon stated he was in a position to see his registered e-mail tackle and password despatched in plain textual content, in addition to knowledge about how he was utilizing the watch, like what number of steps he was taking.
“All the API was unencrypted,” stated Yalon in an e-mail to TechCrunch. “All knowledge was transferred in plain-text.”
The API that helps energy the watch was simply abused, he discovered, permitting him to reset anybody’s password just by understanding an individual’s username. That might’ve given him entry to anybody’s account, he stated.
Not solely that, he discovered that the watch was sharing his exact geolocation with a server in China. Given the watch’s exclusivity to China, it won’t be a pink flag to natives. However Yalon stated the watch had “already pinpointed my location” earlier than he had even registered his account.
Yalon’s analysis wasn’t simply restricted to the leaky API. He discovered that the Bluetooth-enabled sensible watch is also manipulated from close by, by sending crafted Bluetooth requests. Utilizing a small script, he demonstrated how simple it was to spoof a telephone name on the watch.
Utilizing an identical malicious Bluetooth command, he might additionally set the alarm to go off — time and again. “The operate permits including a number of alarms, as typically as each minute,” he stated.
Lenovo didn’t have a lot to say in regards to the vulnerabilities, moreover confirming their existence.
“The Watch X was designed for the China market and is simply accessible from Lenovo to restricted gross sales channels in China,” stated spokesperson Andrew Barron. “Our [security team] crew has been working with the [original device manufacturer] that makes the watch to handle the vulnerabilities recognized by a researcher and all fixes are as a consequence of be accomplished this week.”
Yalon stated that encrypting the site visitors between the watch, the Android app, and its net server would stop snooping and assist scale back manipulation.
“Fixing the API permissions eliminates the flexibility of malicious customers to ship instructions to the watch, spoof calls, and set alarms,” he stated.