U8 Smartwatch Engages In Covert Traffic With Chinese IP Behind Your Back (softpedia.com)

← Back to Stories (view on slashdot.org)

U8 Smartwatch Engages In Covert Traffic With Chinese IP Behind Your Back (softpedia.com)

Posted by timothy on Thursday March 3, 2016 @08:41AM from the your-every-move dept.

An anonymous reader writes: In a presentation at the BSides security conferences in San Francisco, Michael Raggo from MobileIron, has revealed that he discovered a cheap smartwatch engaging in covert communications behind the users' back. The watch in question is the U8 Nucleus, a cheap smartwatch that's made in China, sold for around $17 (€15.6), which also runs its own operating system, also known as Nucleus. When the user would install the iOS/Android app that allows the owners to manage the smartwatch via their phones, the app would start an encrypted communications channel with an IP address in China. This could be telemetry or analytics data, but nothing in the U8 smartwatch manual or website even mentioned something like this was happening in the first place.

56 of 91 comments (clear)

Min score:

Reason:

Sort:

The Chinese by Anonymous Coward · 2016-03-03 08:42 · Score: 5, Funny

The Chinese want to know what time it is in America! The bastards!
1. Re:The Chinese by Tx · 2016-03-03 09:56 · Score: 3, Funny
  
  It spies on you? So the Chinese can do the core features of Windows 10 in a $17 smartwatch? And you wonder why America is being left behind.
  
  --
  Oh no... it's the future.
2. Re:The Chinese by zlives · 2016-03-03 10:45 · Score: 2
  
  but but... win 10 is "free"
Now B-Sides is full of useless presentations? by al0ha · 2016-03-03 08:47 · Score: 1

Geez, I am so tired of these lame presentations and announcements. A n00b could figure this out, how is it relevant to real security research, much less worth a presentation at B-Sides?

Z-z-z-z-z-z-z....

--
Did you ever wake up in the morning, with a Zombie Woof behind your eyes? -- FZ
1. Re: Now B-Sides is full of useless presentations? by Anonymous Coward · 2016-03-03 08:50 · Score: 1
  
  And yet, you didn't. Does that make you worse than a useless noob? :3
Mess with them by Anonymous Coward · 2016-03-03 08:47 · Score: 1

Intercept the packets, change a few bytes here and there, and send them on their way.
1. Re:Mess with them by MobileTatsu-NJG · 2016-03-03 08:51 · Score: 5, Interesting
  
  Intercept the packets, change a few bytes here and there, and send them on their way.
  In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
2. Re:Mess with them by tlhIngan · 2016-03-03 09:12 · Score: 1
  
  In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?
  And start sending wildly strange data too - you can bet their tools aren't going to have robust error checking, so an interesting set of numbers may cause it just segfault.
  Imagine polluting their database with data that crashes all their tools - their nightly analytics fails constantly, they can't load their database, etc. If you scatter the errors throughout they'll have a hard time cleaning up the data...
3. Re:Mess with them by BradMajors · 2016-03-03 09:54 · Score: 1
  
  Does not work. The data is encrypted.
4. Re:Mess with them by LynnwoodRooster · 2016-03-03 10:07 · Score: 2
  
  I've yet to see a stream of data be properly decoded when chunks of it is randomly changed. Including encrypted data. It tends to make the encrypted data worthless...
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
5. Re:Mess with them by MrNiceguy_KS · 2016-03-03 11:05 · Score: 1
  
  I'll have to send them the info from Bobby Table's watch.
  
  --
  Redundancy is good And also good.
6. Re:Mess with them by ericloewe · 2016-03-03 12:01 · Score: 1
  
  *Especially* encrypted data. Or compressed, really.
7. Re:Mess with them by lsatenstein · 2016-03-04 14:19 · Score: 1
  
  Intercept the packets, change a few bytes here and there, and send them on their way.
  In all seriousness, I wonder when we're going to start responding with tactics like this. Imagine not just fuzzing the data, but imagine software that mimics thousands of these watches sending the fuzzed data back. Which one is the real data?
  How is a company going to obtain meta data that would allow them to analyse for product improvement. Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.
  The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.
  
  --
  Leslie Satenstein Montreal Quebec Canada
8. Re:Mess with them by MobileTatsu-NJG · 2016-03-04 14:23 · Score: 1
  
  How is a company going to obtain meta data that would allow them to analyse for product improvement.
  Transparency.
  
  Its time to stop thinking that everyone cares about your private life. With a few million watches sold, your info is only one anonymous statistical measuement.
  There is nothing anonymous about it. All you can do is hope they're benevolent.
  
  The Chinese would like to know if the bracelet can fit fat slobs, battery life, etc.
  [CITATION NEEDED]
  
  --
  
  "I like to lick butts!" by MobileTatsu-NJG (#32700246) (Score:5, Informative)
why single out out chinese? by sittingnut · 2016-03-03 09:00 · Score: 4, Interesting

there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
so why select obscure presentations targeting chinese ones?
btw what are the past accomplishments of michael raggo and mobileIron in this field?
1. Re:why single out out chinese? by Anonymous Coward · 2016-03-03 09:12 · Score: 1
  
  He wrote some books regarding corporate security. He's obviously legit if he got invited to present at BSides
2. Re:why single out out chinese? by mrchaotica · 2016-03-03 09:44 · Score: 1
  
  but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them
  Sure, and all those "other devices" are made in China too!
  
  --
  "[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
3. Re:why single out out chinese? by Threni · 2016-03-03 09:45 · Score: 1
  
  This is some work performed on a specific device. You're just....typing.
  "but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?"
  Doesn't they? I don't know. Where's the report on that? Perhaps we should add them up. Do some send their data to spain, france, brazil? Who knows?
4. Re:why single out out chinese? by SuperKendall · 2016-03-03 12:04 · Score: 2
  
  there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
  but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
  If there were, why wouldn't we have seen stories about this?
  The answer is no, ad the product you are alluding to (the AppleWatch) specifically does not do anything like this - unless after you are asked, you giver permission to send device stats to Apple. Even then the devices are limited in what you send, not for instance just streaming audio around you like one TV maker did...
  so why select obscure presentations targeting chinese ones?
  Gosh, why would they when it's all Chinese devices that have found to have issues with doing this and not telling anyone?
  
  --
  "There is more worth loving than we have strength to love." - Brian Jay Stanley
5. Re:why single out out chinese? by sociocapitalist · 2016-03-03 19:44 · Score: 1
  
  there has been several of these kind of stories here about chinese devices secretly phoning home to an ip addresses (easily found to be chinese) .
  but doesn't lot of other devices do that, regardless of origin of company that makes, designs, or markets, them ( esp device that are much hyped and costs lot more than this)?
  so why select obscure presentations targeting chinese ones?
  btw what are the past accomplishments of michael raggo and mobileIron in this field?
  There have been plenty of articles about other companies (mostly lately Microsoft) for exactly this sort of thing so no, Chinese ones are not being singled out for any special attention.
  
  --
  blindly antisocialist = antisocial
6. Re:why single out out chinese? by martinfb · 2016-03-04 14:33 · Score: 1
  
  Hmmmm! I wonder if any other countries are doing any snooping?! WAIT! The USA does that! (Would that be the pot calling the kettle 'black'?
  
  --
  
  Self-importance and self-indulgence is the root of ALL evil.
US companies.... by bazmail · 2016-03-03 09:04 · Score: 2

... would never dream of doing such a thing?
1. Re:US companies.... by JackieBrown · 2016-03-03 09:22 · Score: 1
  
  If they do then post the story about it. And explain why that actually makes a difference about this story.
2. Re:US companies.... by dcw3 · 2016-03-03 10:29 · Score: 1
  
  Does the MS EULA say that for Win 10?
  
  --
  Just another day in Paradise
3. Re:US companies.... by houghi · 2016-03-04 00:28 · Score: 1
  
  They dream about it as I dreamt about Rachel Welch as a teenager.
  
  --
  Don't fight for your country, if your country does not fight for you.
I have this watch by 110010001000 · 2016-03-03 09:06 · Score: 1

I actually found one of these watches behind my house. It is complete garbage. Never use software from China.
1. Re:I have this watch by The-Ixian · 2016-03-03 09:47 · Score: 2
  
  Never use software from China.
  I can pretty much guarantee that you use Chinese software every day of your life either directly or indirectly.
  
  --
  My eyes reflect the stars and a smile lights up my face.
2. Re:I have this watch by 110010001000 · 2016-03-03 09:52 · Score: 1
  
  I can guarantee that we don't. Name one.
3. Re:I have this watch by 110010001000 · 2016-03-03 10:04 · Score: 1
  
  Yes the OS isn't so bad. The app is.
4. Re:I have this watch by LynnwoodRooster · 2016-03-03 10:10 · Score: 1
  
  Who made your coffeemaker, your microwave, your TV? Firmware in there...
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
5. Re:I have this watch by Darinbob · 2016-03-03 11:19 · Score: 1
  
  I don't think there's any relation here.
6. Re:I have this watch by 110010001000 · 2016-03-03 11:48 · Score: 1
  
  I don't have a Chinese coffeemaker, microwave or TV. Neither do you!
7. Re:I have this watch by LynnwoodRooster · 2016-03-03 12:07 · Score: 1
  
  What brand do you have? Most likely, the engineering staff resides in China. You'd be surprised how many mundane appliances we use are ODM'd out of China.
  
  --
  Browsing at +1 - no ACs, I ignore their posts. So refreshing!
8. Re:I have this watch by currently_awake · 2016-03-03 12:40 · Score: 1
  
  When Japan was recovering from WW2 they had no quality control and everything was garbage. But by selling the cheapest garbage they got the opportunity to learn and improve, until they became known for selling the best quality stuff. China is working along the same path, and India will be next after China becomes too expensive.
article is FUD by Anonymous Coward · 2016-03-03 09:18 · Score: 3, Interesting

Wow, these guys come off as idiots.
>claims it connects to random IP but they can't find it or determine what it is.
Too stupid to check APNIC?
> claims watch runs a weird OS "Nucleus"
Apparently they're too stupid to google it and found out its a rtos for embedded systems that other smart watch makers in China are using
https://www.mentor.com/embedded-software/industries/wearable-devices
> apparently never contacted company to ask about connection
1. Re:article is FUD by AmiMoJo · 2016-03-03 23:45 · Score: 1
  
  It's just thinly veiled racism. It's Chinese, that alone is reason enough to be suspicious and mistrust it. It wouldn't surprise me if the guy is being paid by someone who makes >$17 smart watches and is upset that the Chinese are making a competitive product.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
So what by pegdhcp · 2016-03-03 09:21 · Score: 2

Honestly, which slightly advanced OS and/or platforn does not call home? Maybe some not so good variants of Linux. This post so bad to be a piece of FUD, but close enough... Chinese and cheap, huh. They already are a superpower, your are late by 15-20 years, depending on the industry.
1. Re:So what by 110010001000 · 2016-03-03 09:56 · Score: 2
  
  You aren't very bright. They OS or platform isn't calling home, the app is. I don't know any decent variant of Linux that calls home.
2. Re:So what by pegdhcp · 2016-03-03 10:09 · Score: 1
  
  And you are dimmest of all then. What do you think you are doing while loading software updates from repositories, using telepathy?
3. Re:So what by Zaelath · 2016-03-03 10:21 · Score: 2
  
  Repos aren't "home", they can even be air-gapped from the internet if you're paranoid or have some other challenging networking.
4. Re:So what by pegdhcp · 2016-03-03 10:39 · Score: 1
  
  It depends how paranoid you are while defining the "home". Last week Ubuntu modified lots of keys in CA. For me this is something critical enough.
  You are right that repos are not exactly designed to keep track of user actions, in the general sense of "home to be called". But you need to populate them, even if they are air,glass and steel gapped from the Internet. And during that population, you are replacing software packages by new binaries (and source if you like) provided by distribution packager. So that you are maintaining a one direction connection, that can turn into two way whenever a new (if there is not an existing one already) piece of software triggers...
5. Re:So what by drinkypoo · 2016-03-03 11:06 · Score: 1
  
  So that you are maintaining a one direction connection, that can turn into two way whenever a new (if there is not an existing one already) piece of software triggers...
  It's simple enough to mirror the whole repo, assuming you have bandwidth.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
6. Re:So what by Zaelath · 2016-03-03 12:04 · Score: 1
  
  You need a connection from one unrelated server, that doesn't even have to run the distribution you're maintaining the repo for, not the entire fleet... there's a significant difference in the ability to farm information there.
  Assuming you don't trust your binaries, and hence you feel there's some opportunity to open a back door, there's not. The transmission from Vendor => Repo Mirror is two-way, the transmission of Repo Mirror => Clients is /entirely/ under your own control, and the Clients can't magically create networking paths that don't exist just because a new binary would like one.
  I don't think you understand the term "air-gapped".
7. Re:So what by dbIII · 2016-03-03 20:27 · Score: 1
  
  In that case the user is doing it deliberately.
  
  using telepathy
  With posters like the above brainfart I'm pretty fucking happy it doesn't exist.
Re:So just like the US then by JackieBrown · 2016-03-03 09:21 · Score: 1

China, USA..... honestly is there any difference these days ?
So it's a continued race to the bottom?
Yikes by riis138 · 2016-03-03 09:24 · Score: 1

Yikes, that's slightly terrifying.

--
Somewhere, something incredible is waiting to be known. -Carl Sagan
Welcome, Chinese Spyware Overlords! by Anonymous Coward · 2016-03-03 09:36 · Score: 1

I, for one, welcome our new Chinese spyware overlords!
Re:Why always the Chinese by thesupraman · 2016-03-03 10:00 · Score: 1

I can only assume you have not be taken advantage of by Microsofts windows 10 'upgrade' yet?
And anyway, it is patently obviously not the watch doing this, its the associated smartphone app that does it.
Should it be? Almost certainly not. Is it common as mud? Pretty much.
Silicon Valley by AnotherAnonymousUser · 2016-03-03 10:12 · Score: 1

Another fine product from the Nucleus family. Fsckin' Gavin Belson.
Re:Why always the Chinese by Impy+the+Impiuos+Imp · 2016-03-03 10:13 · Score: 1

Windows does lots of stuff nobody knows about because it is encrypted. While this is good for security, you now have to take Microsoft's word for it it is all benign.

--
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Re:Teledildonics by Wintermute__ · 2016-03-03 10:14 · Score: 1

Repeat after me, telemetry is spying. Telemetry is spying.
Telemetry is spying.
Dont Worry by psybre · 2016-03-03 10:23 · Score: 1

The packets go through the NSA routers before it can reach China.

--
Authority questions you. Return the favor. -- d474
At least it is encrypted by subanark · 2016-03-03 10:31 · Score: 1

If something is going out to someone else, I'm glad it is encrypted. Makes it harder for an attacker to learn stuff about what your phone is doing.
your "smartthings" are dumb by Gravis+Zero · 2016-03-03 10:42 · Score: 1

look, i get that you like cool devices that are capable of neat things but if history has proven anything, it's that these "smartthings" are are a bad investment and a security nightmare. we have smartTVs that spy on you and inject even more advertisements, we have watches that die faster than winding watches and are less accurate than some of the original mechanical clocks if they don't sync and finally we have cellphones that need daily charging and give your information to just about anyone.
your "smartthings" are dumb.

--
Anons need not reply. Questions end with a question mark.
Covert communications, eh? Where to even start... by WD · 2016-03-03 12:19 · Score: 1

This article has enough completely-wrong aspects that exempts it from the concept of "not even wrong" I suppose.
1) The watch does not engage in covert traffic. It's the pairing app for the watch that a user installs on a phone that does the communication.
2) What on earth does the redundant phrase "covert communications behind the users' back" even mean? Have you looked at network traffic when *any* application has been launched? If you think that any app talking on the internet without explicitly asking the user first counts as "covert communications", then I think you can label just about all of the software out there (esp. in the mobile space) as engaging in "covert communications."
3) The phrase "random IP address" used by the speaker is slang meant to convey that he didn't know what it is. In this case, it's a system referred to by its IP rather than its DNS name. So rather than looking up who owns the IP address, he says it's "random" and shrugs.
4) To give up and say that it's "very difficult to determine" what is being sent over the network because it's over an encrypted channel is ridiculous. For all we know, it's just talking to the software vendor via HTTPS. In which case it would be trivial to inspect by using MITM.
I'm not saying that there's nothing sketchy going on here. But to provide zero evidence of what's actually happening and just speculate and spread FUD is irresponsible.
In the era of IOT by nehumanuscrede · 2016-03-04 01:30 · Score: 1

If you aren't already familiar with them, it would be prudent to learn how to utilize a packet sniffer to watch what your shiny new devices are doing once connected to a network. You may think twice about blindly connecting it to the same network your other systems reside upon.