Exclusive to the Chinese market, Lenovo’s cheapest $50 smartwatch, Lenovo Watch X is terribly designed to have several security vulnerabilities, said Erez Yalon, head of security research at Checkmarx, an application security testing company.
Yalon was able to change user’s passwords, hijack accounts and spoof phone calls within a few minutes he spent using a Watch X. The device, Yalon said, did not have any encryption in place to safeguard the data it sends to the server. The information like a user’s credentials, and also their usage data were all sent in as plain text.
“The entire API was unencrypted,” said Yalon in an email he sent to a popular news website to spread awareness. The easily-abusable API allowed him to simply reset anyone’s password by just knowing their usernames, allowing him to freely access their accounts, he added. Not only that, but the smartwatch was also found to be actively sharing his geolocation to a server that sits in China. “[The watch] had already pinpointed my location” before he had even registered his account, Yalon said.
Other than the leaky API, Yalon also found the Bluetooth of the smartwatch to be equally vulnerable. By sending crafted Bluetooth requests, he was easily able to spoof a phone call on the watch and also “[add] multiple alarms, as often as every minute,” he said. To tackle this problem, Yalon suggests, “Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms.”
Lenovo admitted the existence of such vulnerabilities and said, “Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”