U.S. soldiers receive unsolicited smartwatches feared to contain malware

Source: Cyber News

Summary

The U.S. Army’s Criminal Investigation Division (CID) is advising soldiers who received unsolicited D18 smartwatches in the mail not to turn them on due to concerns they may contain malware capable of harvesting sensitive user and location data.

The strange delivery of the smartwatches comes as the U.S. Army is running two pilot programs to assess the feasibility of using smartwatches to monitor the health of its troops.

Although the CID is concerned about the potential risk the smartwatches may pose, it acknowledges the possibility that they are related to a much more benign brushing campaign. Brushing is a popular technique used by unsavory online vendors in which they send a cheap product to random individuals and later use their names to create fake positive product reviews.

Listing for D18 smartwatch. Source: AliExpress.com

Analysis

This isn’t the first time the U.S. Army has had concerns with smartwatches. In 2018, GPS tracking company Strava published an interactive map using location data collected from users of smart fitness devices such as Fitbit. The map revealed the location of sensitive U.S. military bases in Iraq and Syria. When examined at a closer level, it even showed the walkable pathways within and outside the base. This incident led the U.S. to revise its policy on the use of smart devices within its facilities.

When it comes to wearable smart devices, the more functions they perform directly correlate to the level of intelligence they can provide threat actors on the wearer. It's plausible that a threat actor, motivated by the prospect of collecting intelligence on the U.S. military personnel, would seek to capitalize on the timing of the smartwatch pilot programs by sending cheap, easily weaponized smartwatches to targets of interest.

If such an attack was successful, it could yield valuable intelligence like geo-location data, sensitive conversations, and troop concentrations. However, given the size of the U.S. Army, it’s inevitable that at least a few of its members would receive “brushed” items, and the received smartwatches could just be a coincidence.

It’s likely that the U.S. Army is currently analyzing the devices to determine if they are capable of covert intelligence collection. However, the results of this analysis will likely be classified and thus not made available to the public.

Mitigation

Field Effect encourages users of wearable smart devices to ensure they are up to date with the latest security patches and that their privacy settings are configured in a manner appropriate for the user.

Organizations should restrict wearable smart devices from entering sensitive areas, similar to all electronic devices capable of intelligence collection or which may be difficult for IT teams to monitor. IoT devices, including wearables like smartwatches, can introduce new vectors for attackers and should be included in the organization’s overall IT security strategy.