Cheap smartwatch sends encrypted data to a Chinese IP

Mar 2, 2016 14:54 GMT  ·  By

In a presentation at the BSides security conferences in San Francisco, Michael Raggo, Director and Security Researchers for MobileIron, has revealed that he discovered a cheap smartwatch engaging in covert communications behind the users' back.

Giving a speech on the ever-growing practice of mobile app corporate espionage, Mr. Raggo presented a few case studies of how the mobile apps that accompany some of today's smart devices often expose a company's secrets or a person's private data.

Mr. Raggo conducted a series of tests, analyzing some of today's most popular smartwatches, testing for any hidden behavior. His analysis included four smartwatch models, such as Samsung Tizen, Apple watchOS, Android Wear (Moto 360), and U8 Nucleus.

Never trust a "cheap" anything

The device that tested the worst was the U8 Nucleus, an inexpensive smartwatch that's made in China, sold for around $17 (€15.6), and runs its own operating system, also known as Nucleus.

From the get-go, Mr. Raggo thought something was off because, instead of a nice website where he could go and download the watch's iOS and Android pairing apps, he said he got a piece of paper that had an IP address written on it.

Since he was conducting a test in a controlled laboratory, he downloaded one of the pairing apps, which allowed him to manage his watch's settings from his smartphone.

Mr. Raggo didn't have to wait long for something shady to happen: "Once we paired the smartwatch with our iOS and Android devices, [...] it started communicating outbound over a random IP address to China."

The hidden U8 traffic is encrypted, nobody knows what it contains

The researcher says they didn't know what the IP was because it didn't resolve to anything, and all the traffic was over an encrypted channel, so they couldn't tell what the mobile app was sending. Additionally, the watch's manual didn't provide any clues, and neither did U8's website.

Theoretically, this could include simple telemetry data from the smartwatch, but in a worst-case scenario, it could also be the phone's contact list and other private details.

"In terms of corporate espionage, in terms of data exfiltration, in terms of data risks, there's definitely a lot of interesting and suspicious behavior there," the researcher added.

Softpedia has contacted U8 for details about Mr. Raggo's findings, and we'll be updating the article as soon as we have a response.

Below is Michael Raggo's presentation at the BSides security conference in San Francisco. The part about the U8 smartwatch is at 13:30.