Researcher Warns About the Security of Lenovo Watch X

• Lenovo Watch X contains at least six serious vulnerabilities that undermine the privacy and security of the wearer.
• The smartwatch follows shady practices like bloated app permission requests and location tracking data communication.
• The company has issued a firmware update that fixes the problems four months after they were reported.

A researcher of Checkmarx who received a Lenovo Watch X as a gift has discovered that his new gadget is filled with vulnerabilities. As he explains, each of the six security problems that he found in Lenovo’s product is highly severe, as the watch doesn’t seem to respect its owner’s privacy at all. This is one of the budget watches of Lenovo, that was praised for its design and features, and was sold out in 15 seconds when initially launched. This means that the findings of the Checkmarx researcher concern many people out there.

First and foremost, the watch is sending the phone latitude and longitude coordinates to a remote server in China. This practically means that anyone sniffing the network traffic can track the watch owner. Next, the fact that all communication between the mobile app and Lenovo’s web server is not encrypted, so again, sniffing attackers can get their hands to user credentials, take over accounts, or just track the watch owner again. Thirdly, password change requests are not validated, so hijacking an account won’t require a confirmation email.

image credits: David Sopas, checkmarx.com

Proceeding further, the Bluetooth pairing process only requires a common wrist movement, so when an attacker wants to pair to the watch, he/she can do so without the watch owner even realizing it as merely moving their hands around will provide the confirmation. The fifth security gap concerns a wrongful permissions policy that allows people to spoof incoming calls to the watch. Finally, a similar write permission policy enables the sending of commands to the watch that can set multiple alarms on it.

The researcher has proven that the steps that need to be taken by the attacker are few and simple, while in many cases, the attacker could do things by following more than one path of action. What is especially alarming is that the 25 permissions asked by Lenovo’s watch app take things way further than what would be absolutely necessary for the watch to operate as expected. Even without registering an account in the app, it already has the user’s personally identifiable information and uses them to neatly bundle the location tracking data and send them to the Chinese server.

All of the above were reported to Lenovo’s product security and incident response team since October 2018, with follow-up reminders reaching them in November. Further clarifications were requested and provided in December, and the fixes were finally rolled out in January. If you are using Lenovo’s Watch X, make sure that the January update has reached you, otherwise, install it immediately.

Are you a Lenovo Watch X owner? Can you share anything about the security issues of the smartwatch that you are using at the time? Share your experience in the comments section below, and don’t forget to like and subscribe on our socials on Facebook and Twitter.