Lenovo Watch X was riddled with security bugs, researcher says

Lenovo’s Watch X was widely panned as “absolutely
terrible.”
 As it turns out, so was its security.

The low-end $50 smart watch was one of Lenovo’s cheapest smart
watches. Available only for the China market, anyone who wants one
has to buy one directly from the mainland. Lucky for Erez Yalon,
head of security research at Checkmarx, an application security
testing company, he was given one from a friend. But it didn’t
take him long to find several vulnerabilities that allowed him to
change user’s passwords, hijack accounts, and spoof phone
calls.

Because the smart watch wasn’t using any encryption to send
data from the app to the server, Yalon said he was able to see his
registered email address and password sent in plain text, as well
as data about how he was using the watch, like how many steps he
was taking.

“The entire API was unencrypted,” said Yalon in an email to
TechCrunch. “All data was transferred in plain-text.”

The API that helps power the watch was easily abused, he found,
allowing him to reset anyone’s password simply by knowing a
person’s username. That could’ve given him access to anyone’s
account, he said.

Not only that, he found that the watch was sharing his precise
geolocation with a server in China. Given the watch’s exclusivity
to China, it might not be a red flag to natives. But Yalon said the
watch had “already pinpointed my location” before he had even
registered his account.

Yalon’s research wasn’t just limited to the leaky API. He
found that the Bluetooth-enabled smart watch could also be
manipulated from nearby, by sending crafted Bluetooth requests.
Using a small script, he demonstrated how easy it was to spoof a
phone call on the watch.

Using a similar malicious Bluetooth command, he could also set
the alarm to go off — again and again. “The function allows
adding multiple alarms, as often as every minute,” he said.

Lenovo didn’t have much to say about the vulnerabilities,
besides confirming their existence.

“The Watch X was designed for the China market and is only
available from Lenovo to limited sales channels in China,” said
spokesperson Andrew Barron. “Our [security team] team has been
working with the [original device manufacturer] that makes the
watch to address the vulnerabilities identified by a researcher and
all fixes are due to be completed this week.”

Yalon said that encrypting the traffic between the watch, the
Android app, and its web server would prevent snooping and help
reduce manipulation.

“Fixing the API permissions eliminates the ability of
malicious users to send commands to the watch, spoof calls, and set
alarms,” he said.

Source: FS – All Tech News 2
Lenovo Watch X was riddled with security bugs, researcher says