Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
China Privacy Security

U8 Smartwatch Engages In Covert Traffic With Chinese IP Behind Your Back (softpedia.com) 91

An anonymous reader writes: In a presentation at the BSides security conferences in San Francisco, Michael Raggo from MobileIron, has revealed that he discovered a cheap smartwatch engaging in covert communications behind the users' back. The watch in question is the U8 Nucleus, a cheap smartwatch that's made in China, sold for around $17 (€15.6), which also runs its own operating system, also known as Nucleus. When the user would install the iOS/Android app that allows the owners to manage the smartwatch via their phones, the app would start an encrypted communications channel with an IP address in China. This could be telemetry or analytics data, but nothing in the U8 smartwatch manual or website even mentioned something like this was happening in the first place.
This discussion has been archived. No new comments can be posted.

U8 Smartwatch Engages In Covert Traffic With Chinese IP Behind Your Back

Comments Filter:
  • The Chinese (Score:5, Funny)

    by Anonymous Coward on Thursday March 03, 2016 @04:42PM (#51631829)

    The Chinese want to know what time it is in America! The bastards!

  • Geez, I am so tired of these lame presentations and announcements. A n00b could figure this out, how is it relevant to real security research, much less worth a presentation at B-Sides?

    Z-z-z-z-z-z-z....
    • And yet, you didn't. Does that make you worse than a useless noob? :3

      • by al0ha ( 1262684 )
        Lame attempt at a burn by a useless troll, there is no relevance to the original post which clearly indicates the impression B-Sides is becoming lame and *security researchers * like the one providing this presentation in a forum where the less knowledgeable attend to learn something useful have been ripped-off by someone trying to make some kind of name for themselves with a presentation that in effect should have been a three liner post to security forums.

        Sooooo laaammmeee.....
  • by Anonymous Coward

    Intercept the packets, change a few bytes here and there, and send them on their way.

    • Re:Mess with them (Score:5, Interesting)

      by MobileTatsu-NJG ( 946591 ) on Thursday March 03, 2016 @04:51PM (#51631927)

      Intercept the packets, change a few bytes here and there, and send them on their way.

      In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

      • by tlhIngan ( 30335 )

        In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

        And start sending wildly strange data too - you can bet their tools aren't going to have robust error checking, so an interesting set of numbers may cause it just segfault.

        Imagine polluting their database with data that crashes all their tools - their nightly analytics

      • Intercept the packets, change a few bytes here and there, and send them on their way.

        In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

        How is a company going to obtain meta data that would allow them to analyse for product improvement. Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.

        The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.

        • How is a company going to obtain meta data that would allow them to analyse for product improvement.

          Transparency.

          Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.

          There is nothing anonymous about it. All you can do is hope they're benevolent.

          The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.

          [CITATION NEEDED]

    • Does not work. The data is encrypted.

  • by sittingnut ( 88521 ) <sittingnut@gm[ ].com ['ail' in gap]> on Thursday March 03, 2016 @05:00PM (#51632019) Homepage

    there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
    but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
    so why select obscure presentations targeting chinese ones?
    btw what are the past accomplishments of michael raggo and mobileIron in this field?

    • by Anonymous Coward
      He wrote some books regarding corporate security. He's obviously legit if he got invited to present at BSides
    • but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them

      Sure, and all those "other devices" are made in China too!

    • by Threni ( 635302 )

      This is some work performed on a specific device. You're just....typing.

      "but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?"

      Doesn't they? I don't know. Where's the report on that? Perhaps we should add them up. Do some send their data to spain, france, brazil? Who knows?

    • there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .

      but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?

      If there were, why wouldn't we have seen stories about this?

      The answer is no, ad the product you are alluding to (the AppleWatch) specifically does not do anything like this - unless after yo

      • by AmiMoJo ( 196126 )

        If there were, why wouldn't we have seen stories about this?

        No, because we would have understood what was happening and realized it is a non-story. Instead, because it's Chinese and the researcher doesn't speak Chinese or make much effort to ask the manufacturer what is happening, it must be evil.

        Chances are it's connecting to a server to look for firmware updates for the watch. It's encrypted because the Chinese manufacturer did a good job of preventing MITM attacks and the like on the firmware update process.

        But hay, let's not bother finding out if that's the case

    • there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
      but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
      so why select obscure presentations targeting chinese ones?
      btw what are the past accomplishments of michael raggo and mobileIron in this field?

      There have been plenty of articles about other companies (mostly lately Microsoft) for exactly this sort of thing so no, Chinese ones are not being singled out for any special attention.

    • Hmmmm! I wonder if any other countries are doing any snooping?! WAIT! The USA does that! (Would that be the pot calling the kettle 'black'?
  • by bazmail ( 764941 ) on Thursday March 03, 2016 @05:04PM (#51632047)
    ... would never dream of doing such a thing?
  • I actually found one of these watches behind my house. It is complete garbage. Never use software from China.
  • article is FUD (Score:3, Interesting)

    by Anonymous Coward on Thursday March 03, 2016 @05:18PM (#51632159)

    Wow, these guys come off as idiots.

    >claims it connects to random IP but they can't find it or determine what it is.
    Too stupid to check APNIC?
    > claims watch runs a weird OS "Nucleus"
    Apparently they're too stupid to google it and found out its a rtos for embedded systems that other smart watch makers in China are using
    https://www.mentor.com/embedded-software/industries/wearable-devices
    > apparently never contacted company to ask about connection

    • by AmiMoJo ( 196126 )

      It's just thinly veiled racism. It's Chinese, that alone is reason enough to be suspicious and mistrust it. It wouldn't surprise me if the guy is being paid by someone who makes >$17 smart watches and is upset that the Chinese are making a competitive product.

  • by pegdhcp ( 1158827 ) on Thursday March 03, 2016 @05:21PM (#51632195)
    Honestly, which slightly advanced OS and/or platforn does not call home? Maybe some not so good variants of Linux. This post so bad to be a piece of FUD, but close enough... Chinese and cheap, huh. They already are a superpower, your are late by 15-20 years, depending on the industry.
    • You aren't very bright. They OS or platform isn't calling home, the app is. I don't know any decent variant of Linux that calls home.
      • And you are dimmest of all then. What do you think you are doing while loading software updates from repositories, using telepathy?
        • Repos aren't "home", they can even be air-gapped from the internet if you're paranoid or have some other challenging networking.

          • It depends how paranoid you are while defining the "home". Last week Ubuntu modified lots of keys in CA. For me this is something critical enough.
            You are right that repos are not exactly designed to keep track of user actions, in the general sense of "home to be called". But you need to populate them, even if they are air,glass and steel gapped from the Internet. And during that population, you are replacing software packages by new binaries (and source if you like) provided by distribution packager. So th
            • So that you are maintaining a one direction connection, that can turn into two way whenever a new (if there is not an existing one already) piece of software triggers...

              It's simple enough to mirror the whole repo, assuming you have bandwidth.

            • You need a connection from one unrelated server, that doesn't even have to run the distribution you're maintaining the repo for, not the entire fleet... there's a significant difference in the ability to farm information there.

              Assuming you don't trust your binaries, and hence you feel there's some opportunity to open a back door, there's not. The transmission from Vendor => Repo Mirror is two-way, the transmission of Repo Mirror => Clients is /entirely/ under your own control, and the Clients can't ma

        • by dbIII ( 701233 )
          In that case the user is doing it deliberately.

          using telepathy

          With posters like the above brainfart I'm pretty fucking happy it doesn't exist.

  • Yikes, that's slightly terrifying.
  • Another fine product from the Nucleus family. Fsckin' Gavin Belson.
  • The packets go through the NSA routers before it can reach China.

  • If something is going out to someone else, I'm glad it is encrypted. Makes it harder for an attacker to learn stuff about what your phone is doing.

  • look, i get that you like cool devices that are capable of neat things but if history has proven anything, it's that these "smartthings" are are a bad investment and a security nightmare. we have smartTVs that spy on you and inject even more advertisements, we have watches that die faster than winding watches and are less accurate than some of the original mechanical clocks if they don't sync and finally we have cellphones that need daily charging and give your information to just about anyone.

    your "smartt

  • This article has enough completely-wrong aspects that exempts it from the concept of "not even wrong" I suppose.

    1) The watch does not engage in covert traffic. It's the pairing app for the watch that a user installs on a phone that does the communication.

    2) What on earth does the redundant phrase "covert communications behind the users' back" even mean? Have you looked at network traffic when *any* application has been launched? If you think that any app talking on the internet without explicitly asking

  • If you aren't already familiar with them, it would be prudent to learn how to utilize a packet sniffer to watch what your shiny new devices are doing once connected to a network. You may think twice about blindly connecting it to the same network your other systems reside upon.

Quark! Quark! Beware the quantum duck!

Working...