The Lenovo X watch has been extensively described as "completely horrible". Actually, it's the identical for his security.
The $ 50 low-end good watch was considered one of Lenovo's least expensive watches. Obtainable just for the Chinese language market, anybody who desires to purchase one instantly from the mainland. Luckily for Erez Yalon, head of safety analysis at Checkmarx, an software safety testing firm, he acquired one from a good friend. However he was fast to seek out a number of vulnerabilities that allowed him to alter person passwords, hacking accounts and usurped cellphone calls.
As a result of the smartwatch didn’t use any encryption to ship software information to the server, Yalon said that he was in a position to see his registered e mail handle and his phrase passwords despatched in plain textual content, in addition to information on its use. the watch, what number of steps he was doing.
"The entire API was not encrypted," Yalon mentioned in an e mail to TechCrunch. "All information has been transferred unencrypted."
He discovered that the API for powering the watch was simple to make use of, which allowed him to reset anybody's password just by understanding the username of that individual. That may have allowed him to entry anybody's account, he mentioned.
Not solely that, he found that the watch shared its exact geolocation with a server in China. Given the exclusivity of the watch in China, it might not be a crimson flag for natives. However Yalon mentioned the watch had "already situated my place" even earlier than registering his account.
Yalon's analysis was not restricted to the fleeing API. He found that the Bluetooth enabled smartwatch may be manipulated close by by sending specifically crafted Bluetooth requests. With the assistance of a small script, he confirmed how simple it was to usurp a cellphone name to the watch.
Utilizing an identical malicious Bluetooth command, he may additionally set the alarm for it to go off – repeatedly. "The operate lets you add a number of alarms, as typically as each minute," he mentioned.
Lenovo doesn’t have a lot to say in regards to the vulnerabilities, besides to verify their existence.
"The Watch X was designed for the Chinese language market and might solely be offered by Lenovo to China's restricted gross sales channels," mentioned spokesman Andrew Barron. "Our [security team] staff labored with [original device manufacturer] to watch vulnerabilities recognized by a researcher and all corrections have to be accomplished this week."
Yalon mentioned that encrypting site visitors between the watch, the Android software and its Net server would stop monitoring and would assist scale back manipulations.
"Fixing API permissions eliminates the flexibility for malicious customers to ship instructions to the watch, impersonate calls, and set alarms," he mentioned. he declares.