Lenovo’s Watch X was broadly panned as “completely horrible.” Because it seems, so was its safety.
The low-end $50 sensible watch was one in every of Lenovo’s most cost-effective sensible watches. Out there just for the China market, anybody who needs one has to purchase one straight from the mainland. Fortunate for Erez Yalon, head of safety analysis at Checkmarx, an software safety testing firm, he was given one from a buddy. But it surely didn’t take him lengthy to search out a number of vulnerabilities that allowed him to alter consumer’s passwords, hijack accounts, and spoof telephone calls.
As a result of the sensible watch wasn’t utilizing any encryption to ship knowledge from the app to the server, Yalon stated he was capable of see his registered electronic mail tackle and password despatched in plain textual content, in addition to knowledge about how he was utilizing the watch, like what number of steps he was taking.
“Your complete API was unencrypted,” stated Yalon in an electronic mail to TechCrunch. “All knowledge was transferred in plain-text.”
The API that helps energy the watch was simply abused, he discovered, permitting him to reset anybody’s password just by figuring out an individual’s username. That might’ve given him entry to anybody’s account, he stated.
Not solely that, he discovered that the watch was sharing his exact geolocation with a server in China. Given the watch’s exclusivity to China, it may not be a pink flag to natives. However Yalon stated the watch had “already pinpointed my location” earlier than he had even registered his account.
Yalon’s analysis wasn’t simply restricted to the leaky API. He discovered that the Bluetooth-enabled sensible watch may be manipulated from close by, by sending crafted Bluetooth requests. Utilizing a small script, he demonstrated how straightforward it was to spoof a telephone name on the watch.
Utilizing an identical malicious Bluetooth command, he may additionally set the alarm to go off — repeatedly. “The perform permits including a number of alarms, as typically as each minute,” he stated.
Lenovo didn’t have a lot to say concerning the vulnerabilities, in addition to confirming their existence.
“The Watch X was designed for the China market and is just out there from Lenovo to restricted gross sales channels in China,” stated spokesperson Andrew Barron. “Our [security team] staff has been working with the [original device manufacturer] that makes the watch to handle the vulnerabilities recognized by a researcher and all fixes are attributable to be accomplished this week.”
Yalon stated that encrypting the visitors between the watch, the Android app, and its internet server would forestall snooping and assist scale back manipulation.
“Fixing the API permissions eliminates the power of malicious customers to ship instructions to the watch, spoof calls, and set alarms,” he stated.