U8 Smartwatch Engages In Covert Traffic With Chinese IP Behind Your Back

An anonymous reader writes: In a presentation at the BSides security conferences in San Francisco, Michael Raggo from MobileIron, has revealed that he discovered a cheap smartwatch engaging in covert communications behind the users' back. The watch in question is the U8 Nucleus, a cheap smartwatch that's made in China, sold for around $17 (€15.6), which also runs its own operating system, also known as Nucleus. When the user would install the iOS/Android app that allows the owners to manage the smartwatch via their phones, the app would start an encrypted communications channel with an IP address in China. This could be telemetry or analytics data, but nothing in the U8 smartwatch manual or website even mentioned something like this was happening in the first place.

The Chinese

The Chinese want to know what time it is in America! The bastards!

Re:The Chinese

I know China very well! Let's MAke watches great again!

Re:The Chinese

What time is it? It's rice time!

Re:The Chinese

[Tx]

It spies on you? So the Chinese can do the core features of Windows 10 in a $17 smartwatch? And you wonder why America is being left behind.

Re:The Chinese

[zlives]

but but... win 10 is "free"

Now B-Sides is full of useless presentations?

[al0ha]

Geez, I am so tired of these lame presentations and announcements. A n00b could figure this out, how is it relevant to real security research, much less worth a presentation at B-Sides?

Z-z-z-z-z-z-z....

Re: Now B-Sides is full of useless presentations?

And yet, you didn't. Does that make you worse than a useless noob? :3

Re: Now B-Sides is full of useless presentations?

buuurn :)))

Re: Now B-Sides is full of useless presentations?

[al0ha]

Lame attempt at a burn by a useless troll, there is no relevance to the original post which clearly indicates the impression B-Sides is becoming lame and *security researchers * like the one providing this presentation in a forum where the less knowledgeable attend to learn something useful have been ripped-off by someone trying to make some kind of name for themselves with a presentation that in effect should have been a three liner post to security forums.

Sooooo laaammmeee.....

Re: Now B-Sides is full of useless presentations?

Take your burn and shut the fuck up already. No one in the history of anything cares about what you have to spew.

Mess with them

Intercept the packets, change a few bytes here and there, and send them on their way.

Re:Mess with them

[MobileTatsu-NJG]

Intercept the packets, change a few bytes here and there, and send them on their way.

In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

Re:Mess with them

[tlhIngan]

In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

And start sending wildly strange data too - you can bet their tools aren't going to have robust error checking, so an interesting set of numbers may cause it just segfault.

Imagine polluting their database with data that crashes all their tools - their nightly analytics fails constantly, they can't load their database, etc. If you scatter the errors throughout they'll have a hard time cleaning up the data...

Re:Mess with them

[BradMajors]

Does not work. The data is encrypted.

Re:Mess with them

[LynnwoodRooster]

I've yet to see a stream of data be properly decoded when chunks of it is randomly changed. Including encrypted data. It tends to make the encrypted data worthless...

Re:Mess with them

[MrNiceguy_KS]

I'll have to send them the info from Bobby Table's watch.

Re:Mess with them

[ericloewe]

*Especially* encrypted data. Or compressed, really.

Re:Mess with them

Find all corrupt data, match IP, ban IP, done. if data != clean, ban IP, done.

Re:Mess with them

If that worked the winblows 10 spy servers would have disappeared long ago

Re:Mess with them

[lsatenstein]

Intercept the packets, change a few bytes here and there, and send them on their way.

In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?

How is a company going to obtain meta data that would allow them to analyse for product improvement. Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.

The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.

Re:Mess with them

[MobileTatsu-NJG]

How is a company going to obtain meta data that would allow them to analyse for product improvement.

Transparency.

Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.

There is nothing anonymous about it. All you can do is hope they're benevolent.

The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.

[CITATION NEEDED]

FBI shills

Therefore, we must end smart phone encryption to prevent things like this from happening. Think of the children!

why single out out chinese?

[sittingnut]

there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
so why select obscure presentations targeting chinese ones?
btw what are the past accomplishments of michael raggo and mobileIron in this field?

Re:why single out out chinese?

He wrote some books regarding corporate security. He's obviously legit if he got invited to present at BSides

Re:why single out out chinese?

[mrchaotica]

but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them

Sure, and all those "other devices" are made in China too!

Re:why single out out chinese?

We live in a time when home thermostats need rebooting and require a "cloud" connection for configuration: If you phone home, do it boldly, not sneakily with no apparent purpose. It's OK to collect statistics and construct profiles of your customers if they willingly* give you the information.

*) one might say stupidly, but that is judgmental.

Re:why single out out chinese?

[Threni]

This is some work performed on a specific device. You're just....typing.

"but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?"

Doesn't they? I don't know. Where's the report on that? Perhaps we should add them up. Do some send their data to spain, france, brazil? Who knows?

Re:why single out out chinese?

[SuperKendall]

there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .

but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?

If there were, why wouldn't we have seen stories about this?

The answer is no, ad the product you are alluding to (the AppleWatch) specifically does not do anything like this - unless after you are asked, you giver permission to send device stats to Apple. Even then the devices are limited in what you send, not for instance just streaming audio around you like one TV maker did...

so why select obscure presentations targeting chinese ones?

Gosh, why would they when it's all Chinese devices that have found to have issues with doing this and not telling anyone?

Re:why single out out chinese?

[sociocapitalist]

there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
so why select obscure presentations targeting chinese ones?
btw what are the past accomplishments of michael raggo and mobileIron in this field?

There have been plenty of articles about other companies (mostly lately Microsoft) for exactly this sort of thing so no, Chinese ones are not being singled out for any special attention.

Re:why single out out chinese?

[AmiMoJo]

If there were, why wouldn't we have seen stories about this?

No, because we would have understood what was happening and realized it is a non-story. Instead, because it's Chinese and the researcher doesn't speak Chinese or make much effort to ask the manufacturer what is happening, it must be evil.

Chances are it's connecting to a server to look for firmware updates for the watch. It's encrypted because the Chinese manufacturer did a good job of preventing MITM attacks and the like on the firmware update process.

But hay, let's not bother finding out if that's the case, let's just assume it's evil. I mean, it's Chinese, it must be trying to hack the US, right?

Re:why single out out chinese?

[martinfb]

Hmmmm! I wonder if any other countries are doing any snooping?! WAIT! The USA does that! (Would that be the pot calling the kettle 'black'?

US companies....

[bazmail]

... would never dream of doing such a thing?

Re:US companies....

US companies have to follow laws and say what they collect or the FTC fines their a$$es. This Chinese company's smartwatch manual has 4 pages and doesn't say anything about hidden traffic. So yeah... I think it's something they don't want people to know about.

Re: US companies....

No, because the FTC would hammer them. I've been involved with two cases, and despite being innocent, the FTC was still scary. I went most of a month without sleeping more than a couple of hours a night.

Re:US companies....

[JackieBrown]

If they do then post the story about it. And explain why that actually makes a difference about this story.

Re:US companies....

US companies have to follow laws and say what they collect or the FTC fines their a$$es.

If you believe that, I have a bridge for sale.

Re: US companies....

Oh... So it doesn't happen because it's against the law! Now we all feel safe.

Re:US companies....

[My AC posts don't seem to show up even with the filter at -1.. Could someone please reply so I'll know if it works?]

The obvious one is Windows 10. The only difference is that Microsoft has been reluctantly open about what the data is (telemetry), as there's no way it could go unnoticed because of the huge user base. [Also, it's possible to install a custom root CA on Windows, so one can monitor SSL traffic with a quasi-transparent proxy, even without any local software] Beyond Windows, it's virtually impossible to find a US device that *dpesn't* phone home these days, but it's quite obvious why it's doing it. Like showing the company's homepage, hundreds of different "smart" / cloud services etc.

Re:US companies....

[dcw3]

Does the MS EULA say that for Win 10?

Re: US companies....

>Bridge for sale
>Does win 10 say something like that?

I dont trust a free bridge like i dont trust a hangglider assembled in Haiti.

Re:US companies....

[houghi]

They dream about it as I dreamt about Rachel Welch as a teenager.

Re:US companies....

Holly c***! A $17 smartwatch that likely doesn't give my information to US companies (or government).
I'm buying two!

I have this watch

[110010001000]

I actually found one of these watches behind my house. It is complete garbage. Never use software from China.

Re:I have this watch

[The-Ixian]

Never use software from China.

I can pretty much guarantee that you use Chinese software every day of your life either directly or indirectly.

Re:I have this watch

[110010001000]

I can guarantee that we don't. Name one.

Re:I have this watch

Nucleus OS is an embedded real-time os developed by a company in Oregon, Mentor Graphics.

Re:I have this watch

[110010001000]

Yes the OS isn't so bad. The app is.

Re:I have this watch

[LynnwoodRooster]

Who made your coffeemaker, your microwave, your TV? Firmware in there...

Re:I have this watch

[Darinbob]

I don't think there's any relation here.

Re:I have this watch

[110010001000]

I don't have a Chinese coffeemaker, microwave or TV. Neither do you!

Re:I have this watch

Is likely written by Korean or Japanese.

Re:I have this watch

[LynnwoodRooster]

What brand do you have? Most likely, the engineering staff resides in China. You'd be surprised how many mundane appliances we use are ODM'd out of China.

Re:I have this watch

[currently_awake]

When Japan was recovering from WW2 they had no quality control and everything was garbage. But by selling the cheapest garbage they got the opportunity to learn and improve, until they became known for selling the best quality stuff. China is working along the same path, and India will be next after China becomes too expensive.

Chinese?

I'd be more worried about having its cheap Chinese batteries explode and burn my wrist.

article is FUD

Wow, these guys come off as idiots.

>claims it connects to random IP but they can't find it or determine what it is.
Too stupid to check APNIC?
> claims watch runs a weird OS "Nucleus"
Apparently they're too stupid to google it and found out its a rtos for embedded systems that other smart watch makers in China are using
https://www.mentor.com/embedded-software/industries/wearable-devices
> apparently never contacted company to ask about connection

Re:article is FUD

Do you really think that calling the company in China and asking them those questions will get you honest answers? BWAAH HAA HAA... noob.

Re:article is FUD

[zlives]

last time i called it went like this..

Chinese Executive: You are American.
Watch Owner: Yes.
Chinese Executive: Ohhh, you must have very big penis!
Watch Owner: Excuse me, I was just asking you what your up to with these watches.
Chinese Executive: Nothing, we are very simple people with very small penis. My penis is especially small! ...So small.
Chinese Executive: We cannot achieve so much with such small penis, but you American wow, penis so big, so big penis!
Watch Owner: Well aah I guess it is pretty good size. ummm ok then.

Re:article is FUD

Do you know any case where a Chinese company answered questions? Even Huawei barely answers the media. All Chinese companies plow through accusations and don't give a shit. Especially when some tiny researcher Ragga calls in to inquire about security protocols.

Re:article is FUD

to be fair, the researchers said they'll be issuing a special report on U8 after the BSides presentation, that's why they didn't reveal the IP address

Re:article is FUD

+ 0.5 Southpark

Re:article is FUD

[AmiMoJo]

It's just thinly veiled racism. It's Chinese, that alone is reason enough to be suspicious and mistrust it. It wouldn't surprise me if the guy is being paid by someone who makes >$17 smart watches and is upset that the Chinese are making a competitive product.

So what

[pegdhcp]

Honestly, which slightly advanced OS and/or platforn does not call home? Maybe some not so good variants of Linux. This post so bad to be a piece of FUD, but close enough... Chinese and cheap, huh. They already are a superpower, your are late by 15-20 years, depending on the industry.

Re:So what

[110010001000]

You aren't very bright. They OS or platform isn't calling home, the app is. I don't know any decent variant of Linux that calls home.

Re:So what

[pegdhcp]

And you are dimmest of all then. What do you think you are doing while loading software updates from repositories, using telepathy?

Re:So what

I won't use anything that calls home -- at least not anything that I can't block from doing so. No software company has any business doing that without permission. On the other hand, I don't have much sympathy for anyone so stupid that they think it's clever to have their watch talk to their phone.

Re:So what

[Zaelath]

Repos aren't "home", they can even be air-gapped from the internet if you're paranoid or have some other challenging networking.

Re:So what

[pegdhcp]

It depends how paranoid you are while defining the "home". Last week Ubuntu modified lots of keys in CA. For me this is something critical enough.
You are right that repos are not exactly designed to keep track of user actions, in the general sense of "home to be called". But you need to populate them, even if they are air,glass and steel gapped from the Internet. And during that population, you are replacing software packages by new binaries (and source if you like) provided by distribution packager. So that you are maintaining a one direction connection, that can turn into two way whenever a new (if there is not an existing one already) piece of software triggers...

Re:So what

[drinkypoo]

So that you are maintaining a one direction connection, that can turn into two way whenever a new (if there is not an existing one already) piece of software triggers...

It's simple enough to mirror the whole repo, assuming you have bandwidth.

Re:So what

[Zaelath]

You need a connection from one unrelated server, that doesn't even have to run the distribution you're maintaining the repo for, not the entire fleet... there's a significant difference in the ability to farm information there.

Assuming you don't trust your binaries, and hence you feel there's some opportunity to open a back door, there's not. The transmission from Vendor => Repo Mirror is two-way, the transmission of Repo Mirror => Clients is /entirely/ under your own control, and the Clients can't magically create networking paths that don't exist just because a new binary would like one.

I don't think you understand the term "air-gapped".

Re:So what

[dbIII]

In that case the user is doing it deliberately.

using telepathy

With posters like the above brainfart I'm pretty fucking happy it doesn't exist.

Re:So just like the US then

[JackieBrown]

China, USA..... honestly is there any difference these days ?

So it's a continued race to the bottom?

Why always the Chinese

Why is it always that security researchers find this crap in Chinese companies. Have you ever heard of a security researcher saying I found this EU or US app secretly sending traffic from my device behind my back? And why in the hell aren't US lawmakers enforcing the same privacy laws on Chinese companies they enforce on US ones. Do you know how hard is it to handle US user data, but these crappy products never get tested... and then slashdotters comment "why are you picking on the chinese for?"

Re:Why always the Chinese

[thesupraman]

I can only assume you have not be taken advantage of by Microsofts windows 10 'upgrade' yet?

And anyway, it is patently obviously not the watch doing this, its the associated smartphone app that does it.
Should it be? Almost certainly not. Is it common as mud? Pretty much.

Re:Why always the Chinese

[Impy+the+Impiuos+Imp]

Windows does lots of stuff nobody knows about because it is encrypted. While this is good for security, you now have to take Microsoft's word for it it is all benign.

Yikes

[riis138]

Yikes, that's slightly terrifying.

Welcome, Chinese Spyware Overlords!

I, for one, welcome our new Chinese spyware overlords!

Teledildonics

No wait, telemetry is the word I was looking for. Excusable mistake. Considering that Microsoft and everybody else fucks us over, telemetry is a bit of misnomer.

Re:Teledildonics

[Wintermute__]

Repeat after me, telemetry is spying. Telemetry is spying.

Telemetry is spying.

Neat gadget

If somebody manages to reverse engineer it, it could be pretty useful.

Silicon Valley

[AnotherAnonymousUser]

Another fine product from the Nucleus family. Fsckin' Gavin Belson.

Dont Worry

[psybre]

The packets go through the NSA routers before it can reach China.

Re: So just like the US then

I dunno bout you but I prefer Eastasia to Oceania, just saying; girls are prettier in Eastasia

At least it is encrypted

[subanark]

If something is going out to someone else, I'm glad it is encrypted. Makes it harder for an attacker to learn stuff about what your phone is doing.

your "smartthings" are dumb

[Gravis+Zero]

look, i get that you like cool devices that are capable of neat things but if history has proven anything, it's that these "smartthings" are are a bad investment and a security nightmare. we have smartTVs that spy on you and inject even more advertisements, we have watches that die faster than winding watches and are less accurate than some of the original mechanical clocks if they don't sync and finally we have cellphones that need daily charging and give your information to just about anyone.

your "smartthings" are dumb.

Covert communications, eh? Where to even start...

[WD]

This article has enough completely-wrong aspects that exempts it from the concept of "not even wrong" I suppose.

1) The watch does not engage in covert traffic. It's the pairing app for the watch that a user installs on a phone that does the communication.

2) What on earth does the redundant phrase "covert communications behind the users' back" even mean? Have you looked at network traffic when *any* application has been launched? If you think that any app talking on the internet without explicitly asking the user first counts as "covert communications", then I think you can label just about all of the software out there (esp. in the mobile space) as engaging in "covert communications."

3) The phrase "random IP address" used by the speaker is slang meant to convey that he didn't know what it is. In this case, it's a system referred to by its IP rather than its DNS name. So rather than looking up who owns the IP address, he says it's "random" and shrugs.

4) To give up and say that it's "very difficult to determine" what is being sent over the network because it's over an encrypted channel is ridiculous. For all we know, it's just talking to the software vendor via HTTPS. In which case it would be trivial to inspect by using MITM.

I'm not saying that there's nothing sketchy going on here. But to provide zero evidence of what's actually happening and just speculate and spread FUD is irresponsible.

Probably just a firewall puncher.

Guys/gals, yes we kniw Chinese firmware has really been found to be spying in certain cases, but this may just be a STUN(?) or reverse connection mechanism in order to allow talking between the phone and the watch across/through NAT. Think about it. Two devices that may be in different, privately-networked locations need a third-party server to set up the connection.

I suspect some of the recent IPcam stories are a case of the same requirement. Of course they could ALSO benspyong with it, but NAT traversal is a legit reason to makeba connection to a specific third-party server.

Humm

Is it that strange to phone home?

In computalist China...

...smart watches you!

Uh -- hmm.

In the era of IOT

[nehumanuscrede]

If you aren't already familiar with them, it would be prudent to learn how to utilize a packet sniffer to watch what your shiny new devices are doing once connected to a network. You may think twice about blindly connecting it to the same network your other systems reside upon.

Re:So just like the US then

China has health care