U8 Smartwatch Engages In Covert Traffic With Chinese IP Behind Your Back

An anonymous reader writes: In a presentation at the BSides security conferences in San Francisco, Michael Raggo from MobileIron, has revealed that he discovered a cheap smartwatch engaging in covert communications behind the users' back. The watch in question is the U8 Nucleus, a cheap smartwatch that's made in China, sold for around $17 (€15.6), which also runs its own operating system, also known as Nucleus. When the user would install the iOS/Android app that allows the owners to manage the smartwatch via their phones, the app would start an encrypted communications channel with an IP address in China. This could be telemetry or analytics data, but nothing in the U8 smartwatch manual or website even mentioned something like this was happening in the first place.

The Chinese

[Anonymous Coward]

The Chinese want to know what time it is in America! The bastards!

Welcome, Chinese Spyware Overlords!

[Anonymous Coward]

I, for one, welcome our new Chinese spyware overlords!

Re:The Chinese

[Tx]

It spies on you? So the Chinese can do the core features of Windows 10 in a $17 smartwatch? And you wonder why America is being left behind.

Re:

[zlives]

but but... win 10 is "free"

Now B-Sides is full of useless presentations?

[al0ha]

Geez, I am so tired of these lame presentations and announcements. A n00b could figure this out, how is it relevant to real security research, much less worth a presentation at B-Sides?

Z-z-z-z-z-z-z....

Re: Now B-Sides is full of useless presentations?

[Anonymous Coward]

And yet, you didn't. Does that make you worse than a useless noob? :3

Re:

[al0ha]

Lame attempt at a burn by a useless troll, there is no relevance to the original post which clearly indicates the impression B-Sides is becoming lame and *security researchers * like the one providing this presentation in a forum where the less knowledgeable attend to learn something useful have been ripped-off by someone trying to make some kind of name for themselves with a presentation that in effect should have been a three liner post to security forums.

Sooooo laaammmeee.....

Mess with them

[Anonymous Coward]

Intercept the packets, change a few bytes here and there, and send them on their way.

Re:Mess with them

[MobileTatsu-NJG]

Intercept the packets, change a few bytes here and there, and send them on their way.

In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

Re:

[tlhIngan]

In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

And start sending wildly strange data too - you can bet their tools aren't going to have robust error checking, so an interesting set of numbers may cause it just segfault.

Imagine polluting their database with data that crashes all their tools - their nightly analytics

Re:

[MrNiceguy_KS]

I'll have to send them the info from Bobby Table's watch.

Re:

[lsatenstein]

Intercept the packets, change a few bytes here and there, and send them on their way.

In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

How is a company going to obtain meta data that would allow them to analyse for product improvement. Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.

The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.

Re:

[MobileTatsu-NJG]

How is a company going to obtain meta data that would allow them to analyse for product improvement.

Transparency.

Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.

There is nothing anonymous about it. All you can do is hope they're benevolent.

The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.

[CITATION NEEDED]

Re:

[BradMajors]

Does not work. The data is encrypted.

Re:

[LynnwoodRooster]

I've yet to see a stream of data be properly decoded when chunks of it is randomly changed. Including encrypted data. It tends to make the encrypted data worthless...

Re:

[ericloewe]

*Especially* encrypted data. Or compressed, really.

Re:

[JackieBrown]

China, USA..... honestly is there any difference these days ?

So it's a continued race to the bottom?

why single out out chinese?

[sittingnut]

there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
so why select obscure presentations targeting chinese ones?
btw what are the past accomplishments of michael raggo and mobileIron in this field?

Re:

[Anonymous Coward]

He wrote some books regarding corporate security. He's obviously legit if he got invited to present at BSides

Re:

[mrchaotica]

but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them

Sure, and all those "other devices" are made in China too!

Re:

[Threni]

This is some work performed on a specific device. You're just....typing.

"but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?"

Doesn't they? I don't know. Where's the report on that? Perhaps we should add them up. Do some send their data to spain, france, brazil? Who knows?

Re:

[SuperKendall]

there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .

but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?

If there were, why wouldn't we have seen stories about this?

The answer is no, ad the product you are alluding to (the AppleWatch) specifically does not do anything like this - unless after yo

Re:

[AmiMoJo]

If there were, why wouldn't we have seen stories about this?

No, because we would have understood what was happening and realized it is a non-story. Instead, because it's Chinese and the researcher doesn't speak Chinese or make much effort to ask the manufacturer what is happening, it must be evil.

Chances are it's connecting to a server to look for firmware updates for the watch. It's encrypted because the Chinese manufacturer did a good job of preventing MITM attacks and the like on the firmware update process.

But hay, let's not bother finding out if that's the case

Re:

[sociocapitalist]

there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
so why select obscure presentations targeting chinese ones?
btw what are the past accomplishments of michael raggo and mobileIron in this field?

There have been plenty of articles about other companies (mostly lately Microsoft) for exactly this sort of thing so no, Chinese ones are not being singled out for any special attention.

Re:

[martinfb]

Hmmmm! I wonder if any other countries are doing any snooping?! WAIT! The USA does that! (Would that be the pot calling the kettle 'black'?

US companies....

[bazmail]

... would never dream of doing such a thing?

Re:

[dcw3]

Does the MS EULA say that for Win 10?

Re:

[JackieBrown]

If they do then post the story about it. And explain why that actually makes a difference about this story.

Re:

[account_deleted]

Comment removed based on user account deletion

I have this watch

[110010001000]

I actually found one of these watches behind my house. It is complete garbage. Never use software from China.

Re:

[The-Ixian]

Never use software from China.

I can pretty much guarantee that you use Chinese software every day of your life either directly or indirectly.

Re:

[110010001000]

I can guarantee that we don't. Name one.

Re:

[LynnwoodRooster]

Who made your coffeemaker, your microwave, your TV? Firmware in there...

Re:

[110010001000]

I don't have a Chinese coffeemaker, microwave or TV. Neither do you!

Re:

[LynnwoodRooster]

What brand do you have? Most likely, the engineering staff resides in China. You'd be surprised how many mundane appliances we use are ODM'd out of China.

Re:

[110010001000]

Yes the OS isn't so bad. The app is.

Re:

[Darinbob]

I don't think there's any relation here.

Re:

[currently_awake]

When Japan was recovering from WW2 they had no quality control and everything was garbage. But by selling the cheapest garbage they got the opportunity to learn and improve, until they became known for selling the best quality stuff. China is working along the same path, and India will be next after China becomes too expensive.

article is FUD

[Anonymous Coward]

Wow, these guys come off as idiots.

>claims it connects to random IP but they can't find it or determine what it is.
Too stupid to check APNIC?
> claims watch runs a weird OS "Nucleus"
Apparently they're too stupid to google it and found out its a rtos for embedded systems that other smart watch makers in China are using
https://www.mentor.com/embedded-software/industries/wearable-devices
> apparently never contacted company to ask about connection

Re:

[zlives]

last time i called it went like this..

Chinese Executive: You are American.
Watch Owner: Yes.
Chinese Executive: Ohhh, you must have very big penis!
Watch Owner: Excuse me, I was just asking you what your up to with these watches.
Chinese Executive: Nothing, we are very simple people with very small penis. My penis is especially small! ...So small.
Chinese Executive: We cannot achieve so much with such small penis, but you American wow, penis so big, so big penis!
Watch Owner: Well aah I guess it is pretty good

Re:

[AmiMoJo]

It's just thinly veiled racism. It's Chinese, that alone is reason enough to be suspicious and mistrust it. It wouldn't surprise me if the guy is being paid by someone who makes >$17 smart watches and is upset that the Chinese are making a competitive product.

So what

[pegdhcp]

Honestly, which slightly advanced OS and/or platforn does not call home? Maybe some not so good variants of Linux. This post so bad to be a piece of FUD, but close enough... Chinese and cheap, huh. They already are a superpower, your are late by 15-20 years, depending on the industry.

Re:

[110010001000]

You aren't very bright. They OS or platform isn't calling home, the app is. I don't know any decent variant of Linux that calls home.

Re:

[pegdhcp]

And you are dimmest of all then. What do you think you are doing while loading software updates from repositories, using telepathy?

Re:

[Zaelath]

Repos aren't "home", they can even be air-gapped from the internet if you're paranoid or have some other challenging networking.

Re:

[pegdhcp]

It depends how paranoid you are while defining the "home". Last week Ubuntu modified lots of keys in CA. For me this is something critical enough.
You are right that repos are not exactly designed to keep track of user actions, in the general sense of "home to be called". But you need to populate them, even if they are air,glass and steel gapped from the Internet. And during that population, you are replacing software packages by new binaries (and source if you like) provided by distribution packager. So th

Re:

[drinkypoo]

So that you are maintaining a one direction connection, that can turn into two way whenever a new (if there is not an existing one already) piece of software triggers...

It's simple enough to mirror the whole repo, assuming you have bandwidth.

Re:

[Zaelath]

You need a connection from one unrelated server, that doesn't even have to run the distribution you're maintaining the repo for, not the entire fleet... there's a significant difference in the ability to farm information there.

Assuming you don't trust your binaries, and hence you feel there's some opportunity to open a back door, there's not. The transmission from Vendor => Repo Mirror is two-way, the transmission of Repo Mirror => Clients is /entirely/ under your own control, and the Clients can't ma

Re:

[dbIII]

In that case the user is doing it deliberately.

using telepathy

With posters like the above brainfart I'm pretty fucking happy it doesn't exist.

Re:

[thesupraman]

I can only assume you have not be taken advantage of by Microsofts windows 10 'upgrade' yet?

And anyway, it is patently obviously not the watch doing this, its the associated smartphone app that does it.
Should it be? Almost certainly not. Is it common as mud? Pretty much.

Re:

[Impy the Impiuos Imp]

Windows does lots of stuff nobody knows about because it is encrypted. While this is good for security, you now have to take Microsoft's word for it it is all benign.

Yikes

[riis138]

Yikes, that's slightly terrifying.

Re:

[Wintermute__]

Repeat after me, telemetry is spying. Telemetry is spying.

Telemetry is spying.

Silicon Valley

[AnotherAnonymousUser]

Another fine product from the Nucleus family. Fsckin' Gavin Belson.

Dont Worry

[psybre]

The packets go through the NSA routers before it can reach China.

At least it is encrypted

[subanark]

If something is going out to someone else, I'm glad it is encrypted. Makes it harder for an attacker to learn stuff about what your phone is doing.

your "smartthings" are dumb

[Gravis Zero]

look, i get that you like cool devices that are capable of neat things but if history has proven anything, it's that these "smartthings" are are a bad investment and a security nightmare. we have smartTVs that spy on you and inject even more advertisements, we have watches that die faster than winding watches and are less accurate than some of the original mechanical clocks if they don't sync and finally we have cellphones that need daily charging and give your information to just about anyone.

your "smartt

Covert communications, eh? Where to even start...

[WD]

This article has enough completely-wrong aspects that exempts it from the concept of "not even wrong" I suppose.

1) The watch does not engage in covert traffic. It's the pairing app for the watch that a user installs on a phone that does the communication.

2) What on earth does the redundant phrase "covert communications behind the users' back" even mean? Have you looked at network traffic when *any* application has been launched? If you think that any app talking on the internet without explicitly asking

In the era of IOT

[nehumanuscrede]

If you aren't already familiar with them, it would be prudent to learn how to utilize a packet sniffer to watch what your shiny new devices are doing once connected to a network. You may think twice about blindly connecting it to the same network your other systems reside upon.