Researchers are raking the Lenovo Watch X over the security coals in a report that blasts the device for shipping with a half dozen “disturbing” privacy and security vulnerabilities.
The budget ($50) smartwatch was introduced in June 2018 and was initially praised for its design, features and affordability. But months following the launch, the Lenovo X Watch has since been hearing an earful from usability, and now security, critics.
In a report released by Checkmarx on Tuesday, security researcher David Sopas outlined a swath of failings and concluded the watch’s vulnerabilities were “a violation of [his] privacy” by sending location data to an “unknown server” in China.
In the report titled “Your Lenovo Watch X Is Watching You and Sharing What It Learns” Sopas outlined a litany of bugs.
Lenovo said all bugs outlined in the Checkmarx report are “due to be complete this week.”
One bug pinpointed the phone’s location via longitude and latitude and sent it via an unencrypted communications channel to China, where Lenovo is headquartered. Another bug that was identified could allow for a man-in-the-middle attack. “Communication sent between the mobile application and web server is not encrypted, so anyone could sniff the communication,” the researcher wrote.
Other bugs included an account take-over vulnerability. “Due to lack of account validation and permissions, it’s possible to force a password change request for any user,” he wrote. “Anyone who knows the userid could change the user password, and therefore hijack remote accounts.”
Three Bluetooth bugs included one where hand movements kick the watch into pairing mode and never times out. Another Bluetooth bug could allow a “malicious user [to] send a specific command to the watch to set alarms. The function allows adding multiple alarms, as often as every minute.” And lastly a Bluetooth write permission bug could allow someone to spoof incoming call alerts to the watch.
Sopas stressed the corresponding Lenovo Watch X app, with 50,000-plus downloads, is also troubling.
For its part, Lenovo told Threatpost the watch was never intended for the U.S. market. That is despite the English language app and a number of U.S.-based online retailers selling the watch.
“The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China. Our PSIRT team has been working with the ODM that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week,” Lenovo wrote.
Checkmarx disclosed the watch vulnerabilities to Lenovo in October 2018. Lenovo confirmed receipt of the bugs several weeks later. In January, Lenovo said fixes are issued. It’s unclear what, if anything, users will need to do in order to ensure they get a fix.
Smart watches have recently come under fire for privacy issues. Last month, researchers from Pen Test Partners examined kids watches that were part of watchmaker Gator’s portfolio devices. They found a severe flaw exposes sensitive information for 35,000 kids and 20,000 individual accounts.