U8 Smartwatch Engages In Covert Traffic With Chinese IP Behind Your Back (softpedia.com) 91
An anonymous reader writes: In a presentation at the BSides security conferences in San Francisco, Michael Raggo from MobileIron, has revealed that he discovered a cheap smartwatch engaging in covert communications behind the users' back. The watch in question is the U8 Nucleus, a cheap smartwatch that's made in China, sold for around $17 (€15.6), which also runs its own operating system, also known as Nucleus. When the user would install the iOS/Android app that allows the owners to manage the smartwatch via their phones, the app would start an encrypted communications channel with an IP address in China. This could be telemetry or analytics data, but nothing in the U8 smartwatch manual or website even mentioned something like this was happening in the first place.
The Chinese (Score:5, Funny)
The Chinese want to know what time it is in America! The bastards!
Welcome, Chinese Spyware Overlords! (Score:1)
I, for one, welcome our new Chinese spyware overlords!
Re:The Chinese (Score:4, Funny)
It spies on you? So the Chinese can do the core features of Windows 10 in a $17 smartwatch? And you wonder why America is being left behind.
Re: (Score:3)
but but... win 10 is "free"
Now B-Sides is full of useless presentations? (Score:2)
Z-z-z-z-z-z-z....
Re: Now B-Sides is full of useless presentations? (Score:1)
And yet, you didn't. Does that make you worse than a useless noob? :3
Re: (Score:1)
Sooooo laaammmeee.....
Mess with them (Score:1)
Intercept the packets, change a few bytes here and there, and send them on their way.
Re:Mess with them (Score:5, Interesting)
Intercept the packets, change a few bytes here and there, and send them on their way.
In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?
Re: (Score:2)
And start sending wildly strange data too - you can bet their tools aren't going to have robust error checking, so an interesting set of numbers may cause it just segfault.
Imagine polluting their database with data that crashes all their tools - their nightly analytics
Re: (Score:1)
I'll have to send them the info from Bobby Table's watch.
Re: (Score:2)
Intercept the packets, change a few bytes here and there, and send them on their way.
In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?
How is a company going to obtain meta data that would allow them to analyse for product improvement. Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.
The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.
Re: (Score:2)
How is a company going to obtain meta data that would allow them to analyse for product improvement.
Transparency.
Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.
There is nothing anonymous about it. All you can do is hope they're benevolent.
The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.
[CITATION NEEDED]
Re: (Score:2)
Does not work. The data is encrypted.
Re: (Score:3)
Re: (Score:2)
*Especially* encrypted data. Or compressed, really.
Re: (Score:2)
China, USA..... honestly is there any difference these days ?
So it's a continued race to the bottom?
why single out out chinese? (Score:5, Interesting)
there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
so why select obscure presentations targeting chinese ones?
btw what are the past accomplishments of michael raggo and mobileIron in this field?
Re: (Score:1)
Re: (Score:2)
Sure, and all those "other devices" are made in China too!
Re: (Score:1)
This is some work performed on a specific device. You're just....typing.
"but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?"
Doesn't they? I don't know. Where's the report on that? Perhaps we should add them up. Do some send their data to spain, france, brazil? Who knows?
Re: (Score:3)
there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
If there were, why wouldn't we have seen stories about this?
The answer is no, ad the product you are alluding to (the AppleWatch) specifically does not do anything like this - unless after yo
Re: (Score:1)
If there were, why wouldn't we have seen stories about this?
No, because we would have understood what was happening and realized it is a non-story. Instead, because it's Chinese and the researcher doesn't speak Chinese or make much effort to ask the manufacturer what is happening, it must be evil.
Chances are it's connecting to a server to look for firmware updates for the watch. It's encrypted because the Chinese manufacturer did a good job of preventing MITM attacks and the like on the firmware update process.
But hay, let's not bother finding out if that's the case
Re: (Score:2)
there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
so why select obscure presentations targeting chinese ones?
btw what are the past accomplishments of michael raggo and mobileIron in this field?
There have been plenty of articles about other companies (mostly lately Microsoft) for exactly this sort of thing so no, Chinese ones are not being singled out for any special attention.
Re: (Score:1)
US companies.... (Score:3)
Re: (Score:2)
Does the MS EULA say that for Win 10?
Re: (Score:2)
If they do then post the story about it. And explain why that actually makes a difference about this story.
Re: (Score:2)
I have this watch (Score:2)
Re: (Score:3)
Never use software from China.
I can pretty much guarantee that you use Chinese software every day of your life either directly or indirectly.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I don't think there's any relation here.
Re: (Score:2)
article is FUD (Score:3, Interesting)
Wow, these guys come off as idiots.
>claims it connects to random IP but they can't find it or determine what it is.
Too stupid to check APNIC?
> claims watch runs a weird OS "Nucleus"
Apparently they're too stupid to google it and found out its a rtos for embedded systems that other smart watch makers in China are using
https://www.mentor.com/embedded-software/industries/wearable-devices
> apparently never contacted company to ask about connection
Re: (Score:1)
last time i called it went like this..
Chinese Executive: You are American. ...So small.
Watch Owner: Yes.
Chinese Executive: Ohhh, you must have very big penis!
Watch Owner: Excuse me, I was just asking you what your up to with these watches.
Chinese Executive: Nothing, we are very simple people with very small penis. My penis is especially small!
Chinese Executive: We cannot achieve so much with such small penis, but you American wow, penis so big, so big penis!
Watch Owner: Well aah I guess it is pretty good
Re: (Score:2)
It's just thinly veiled racism. It's Chinese, that alone is reason enough to be suspicious and mistrust it. It wouldn't surprise me if the guy is being paid by someone who makes >$17 smart watches and is upset that the Chinese are making a competitive product.
So what (Score:3)
Re: (Score:3)
Re: (Score:2)
Re: (Score:3)
Repos aren't "home", they can even be air-gapped from the internet if you're paranoid or have some other challenging networking.
Re: (Score:2)
You are right that repos are not exactly designed to keep track of user actions, in the general sense of "home to be called". But you need to populate them, even if they are air,glass and steel gapped from the Internet. And during that population, you are replacing software packages by new binaries (and source if you like) provided by distribution packager. So th
Re: (Score:2)
So that you are maintaining a one direction connection, that can turn into two way whenever a new (if there is not an existing one already) piece of software triggers...
It's simple enough to mirror the whole repo, assuming you have bandwidth.
Re: (Score:2)
You need a connection from one unrelated server, that doesn't even have to run the distribution you're maintaining the repo for, not the entire fleet... there's a significant difference in the ability to farm information there.
Assuming you don't trust your binaries, and hence you feel there's some opportunity to open a back door, there's not. The transmission from Vendor => Repo Mirror is two-way, the transmission of Repo Mirror => Clients is /entirely/ under your own control, and the Clients can't ma
Re: (Score:2)
With posters like the above brainfart I'm pretty fucking happy it doesn't exist.
Re: (Score:2)
I can only assume you have not be taken advantage of by Microsofts windows 10 'upgrade' yet?
And anyway, it is patently obviously not the watch doing this, its the associated smartphone app that does it.
Should it be? Almost certainly not. Is it common as mud? Pretty much.
Re: (Score:2)
Windows does lots of stuff nobody knows about because it is encrypted. While this is good for security, you now have to take Microsoft's word for it it is all benign.
Yikes (Score:1)
Re: (Score:2)
Repeat after me, telemetry is spying. Telemetry is spying.
Telemetry is spying.
Silicon Valley (Score:2)
Dont Worry (Score:1)
The packets go through the NSA routers before it can reach China.
At least it is encrypted (Score:2)
If something is going out to someone else, I'm glad it is encrypted. Makes it harder for an attacker to learn stuff about what your phone is doing.
your "smartthings" are dumb (Score:2)
look, i get that you like cool devices that are capable of neat things but if history has proven anything, it's that these "smartthings" are are a bad investment and a security nightmare. we have smartTVs that spy on you and inject even more advertisements, we have watches that die faster than winding watches and are less accurate than some of the original mechanical clocks if they don't sync and finally we have cellphones that need daily charging and give your information to just about anyone.
your "smartt
Covert communications, eh? Where to even start... (Score:2)
This article has enough completely-wrong aspects that exempts it from the concept of "not even wrong" I suppose.
1) The watch does not engage in covert traffic. It's the pairing app for the watch that a user installs on a phone that does the communication.
2) What on earth does the redundant phrase "covert communications behind the users' back" even mean? Have you looked at network traffic when *any* application has been launched? If you think that any app talking on the internet without explicitly asking
In the era of IOT (Score:2)
If you aren't already familiar with them, it would be prudent to learn how to utilize a packet sniffer to watch what your shiny new devices are doing once connected to a network. You may think twice about blindly connecting it to the same network your other systems reside upon.