Source: CNN
Summary
The U.S. Naval Criminal Investigative Service (NCIS) has launched an investigation into unsolicited smartwatches being sent to Navy personnel in the mail. NCIS’s investigation comes less than a week since the U.S. Army’s Criminal Investigation Division (CID) launched its own investigation and advised soldiers not to turn on the unsolicited smartwatches due to concerns they may contain malware capable of harvesting user and geographic data.
The extent to which U.S. military personnel have been sent the rogue smartwatches is unclear, as is who is sending them. The smartwatches are configured to automatically connect to wireless networks and cell phones, potentially gaining access to location and user data.
Additionally, the watches could contain malware capable of harvesting contacts, passwords, and banking information.
Analysis
Given the U.S. military’s past security concerns with wearable devices, it’s appropriate that at least two military investigative bodies are looking into this case. It's highly likely that U.S. military authorities are currently analyzing the devices to determine if they are capable of covert intelligence collection. However, the results of this analysis will likely be classified and thus not made available to the public.
When it comes to wearable smart devices, the more functions they can perform directly correlates to the level of intelligence they can provide threat actors on the wearer. It's plausible that a threat actor, motivated by the prospect of collecting intelligence on U.S. military personnel, would send cheap, easily weaponized smartwatches to targets of interest. If such an attack was successful, it could yield valuable intelligence like geo-location data, sensitive conversations, and troop concentrations.
However, given that 1.4 million Americans serve in the military, it’s inevitable that at least a few of them would receive “brushed” items, and the received smartwatches could just be a coincidence.
Mitigation
Field Effect encourages users of wearable smart devices to ensure they are up to date with the latest security patches and that their privacy settings are configured in a manner appropriate for the user.
Organizations should restrict wearable smart devices from entering sensitive areas, similar to all electronic devices capable of intelligence/data collection or which may be difficult for IT teams to monitor. IoT devices, including wearables like smartwatches, can introduce new vectors for attackers and should be included in the organization’s overall IT security strategy.
References
