As The Register reports, the watch’s suspicious connections were exposed by Mobile Iron research director Michael Raggo at the BSides San Francisco security conference this week. Raggo described the watch as a threat to individual and enterprise security, warning its activity is unknown.
Smartwatches like the Apple Watch, Samsung Galaxy Gear, Motorola Moto 360 and Pebble Time are slowly increasing in popularity. This has led to an influx of cheap clones from China, offering basic smartwatch functionality for prices that may seem to be impossibly low.
The $17 “U8 Watch”
U8 Watch
The $17 U8 Watch is an example. The Bluetooth 3.0-based device claims to be compatible primarily with Android phones running versions newer than 2.3. It has a 1.48-inch touchscreen and a 230mAh rechargeable battery. Built of silicone and aluminium, the U8 weighs a quite heavy 76 g, implying it probably isn’t too comfortable to wear.
The feature list speaks of a stopwatch function, hands-free calls, support for displaying notifications, calendar appointments, a clock and calendar and the ability to use the watch as a pressure gauge. It is paired to a companion app on Android devices but also appears to be compatible with the iPhone. The U8’s website helpfully explains that “Apple phone can’t download the APP” and that “only part of function works” when used with an iPhone.
It turns out that not having the app (or “APP”, as U8 would prefer) may actually be an advantage though. According to Raggo, the app isn’t in the Play Store, instead being offered for download from an unknown server. The server’s address comes “scrawled on a piece of paper” inside the box of the watch, leaving the user to fire up a web browser and type in the URL.
The $17 “U8 Watch”
U8 Watch
The specified server does exist and will provide a “Pairing App” that works with the U8 Watch. Downloading apps from outside the Play Store is always risky, however, indicating the manufacturer’s commitment to security.
Once installed, the app begins to connect to a “random IP address” in China, uploading data to an unknown server. Raggo ran dynamic and behavioural analysis to ascertain that the app frequently connected to the server, even though there was no apparent need to do so. The U8 watch works over Bluetooth and data transmissions should remain strictly between the watch and phone.
The discovery serves as a warning that cheap technology that sounds too good to be true almost certainly is. Any purchasers of the U8 watch should be careful as the identity of the server and contents of the data packets being uploaded remain unknown. Raggo also analysed smartwatches running Android Wear, Apple WatchOS and Samsung Tizen, unveiling a tool to help identify vulnerabilities in smartwatch pairing apps.
