Right after smartwatches flooded the market and big players like Apple, Samsung, Sony, etc. introduced their own smartwatches, it suddenly became the new cool gadget for everyone. People started buying the gadgets, but not everybody could afford them. And as is always the case in the smartphone market, cheaper alternatives flooded in. But did you know that these cheap smartwatches could actually risk your privacy?
MobileIron’s Director and Security Researcher Michael Raggo gave a presentation at in San Francisco at the BSides security conferences, and he has discovered that a cheap smartwatch going by the name of U8 Smartwatch (or U8 Nucleus) engages in covert communications without the knowledge of the users. He gave an example of a few case studies to show that some mobile apps expose the private data or secrets of an individual or a company.
Raggo tested several smartwatches, and the one that turned out to be the worst in the context was the U8 Nucleus. This cheap Made-in-China smartwatch retails at approx. $17 (€15.6) and comes with an operating system called Nucleus. Mr. Raggo did not get any website from where he could download pairing apps for the U8 Smartwatch. Instead, he got an IP address written on a piece of paper. Once he had downloaded a pairing app and connected his smartphone to the smartwatch, the watch started its covert communications with a random IP address located in China.
According to Raggo, the IP address was unknown and an encrypted channel was handling all the traffic. As a result, the researcher couldn’t exactly find out what the app was sending out to the IP. Also, neither the U8 website nor the manual of the watch seemed to provide any hints about what was happening. It is possible that it might be simple telemetry data, but it also could be as worst as the contact list or photos and videos and messages of the user.
Let’s see if U8 is able to provide any explanation for this. Comment below if you own the U8 Smartwatch.