ahlam1399
02-12-2019, 08:10 AM
Lenovoâ??s Watch X was widely panned as â??absolutely terrible.â?* (https://www.youtube.com/watch?v=i9Q3xj-Aczw)آ*As it turns out, so was its security.
The low-end $50 smartwatch was one of Lenovoâ??s cheapest smartwatches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didnâ??t take him long to find several vulnerabilities that allowed him to change userâ??s passwords, hijack accounts and spoof phone calls.
Because the smartwatch wasnâ??t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking.
â??The entire API was unencrypted,â?* said Yalon in an email to TechCrunch. â??All data was transferred in plain-text.â?*
The API that helps power the watch was easily abused, he found, allowing him to reset anyoneâ??s password simply by knowing a personâ??s username. That couldâ??ve given him access to anyoneâ??s account, he said.
Not only that, he found that the watch was sharing his precise geolocation with a server in China. Given the watchâ??s exclusivity to China, it might not be a red flag to natives. But Yalon said the watch had â??already pinpointed my locationâ?* before he had even registered his account.
Yalonâ??s research wasnâ??t just limited to the leaky API. He found that the Bluetooth-enabled smartwatch could also be manipulated from nearby, by sending crafted Bluetooth requests. Using a small script, he demonstrated how easy it was to spoof a phone call on the watch.
Using a similar malicious Bluetooth command, he could also set the alarm to go off â?? again and again. â??The function allows adding multiple alarms, as often as every minute,â?* he said.
Lenovo didnâ??t have much to say about the vulnerabilities, besides confirming their existence.
â??The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,â?* said spokesperson Andrew Barron. â??Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.â?*
Yalon said that encrypting the traffic between the watch, the Android app and its web server would prevent snooping and help reduce manipulation.
â??Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,â?* he said.
</p>
Source link (http://feedproxy.google.com/~r/Techcrunch/~3/SvgQfN3LmtE/)
More (http://ahlam1399.i234.me:8888/m/2019/02/12/lenovo-watch-x-was-riddled-with-security-bugs-researcher-says-techcrunch/)
The low-end $50 smartwatch was one of Lenovoâ??s cheapest smartwatches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didnâ??t take him long to find several vulnerabilities that allowed him to change userâ??s passwords, hijack accounts and spoof phone calls.
Because the smartwatch wasnâ??t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking.
â??The entire API was unencrypted,â?* said Yalon in an email to TechCrunch. â??All data was transferred in plain-text.â?*
The API that helps power the watch was easily abused, he found, allowing him to reset anyoneâ??s password simply by knowing a personâ??s username. That couldâ??ve given him access to anyoneâ??s account, he said.
Not only that, he found that the watch was sharing his precise geolocation with a server in China. Given the watchâ??s exclusivity to China, it might not be a red flag to natives. But Yalon said the watch had â??already pinpointed my locationâ?* before he had even registered his account.
Yalonâ??s research wasnâ??t just limited to the leaky API. He found that the Bluetooth-enabled smartwatch could also be manipulated from nearby, by sending crafted Bluetooth requests. Using a small script, he demonstrated how easy it was to spoof a phone call on the watch.
Using a similar malicious Bluetooth command, he could also set the alarm to go off â?? again and again. â??The function allows adding multiple alarms, as often as every minute,â?* he said.
Lenovo didnâ??t have much to say about the vulnerabilities, besides confirming their existence.
â??The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,â?* said spokesperson Andrew Barron. â??Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.â?*
Yalon said that encrypting the traffic between the watch, the Android app and its web server would prevent snooping and help reduce manipulation.
â??Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,â?* he said.
</p>
Source link (http://feedproxy.google.com/~r/Techcrunch/~3/SvgQfN3LmtE/)
More (http://ahlam1399.i234.me:8888/m/2019/02/12/lenovo-watch-x-was-riddled-with-security-bugs-researcher-says-techcrunch/)