US military personnel have reported receiving smartwatches in the mail unsolicited.
These smartwatches have a Wi-Fi auto-connect feature that allows you to connect to your phone and access user data without prompts.
According to the U.S. Criminal Investigation Service (CID), smartwatches may also contain malware that allows senders to access stored data such as banking information, contacts, and account information such as usernames and passwords. It is said that there is
Additionally, the presence of malware can allow unauthorized access to voice and camera features, compromising conversations and accounts linked to the smartwatch.
For more information on this type of malware, see SpinOk Trojan Compromises 421 Million Android Devices.
Officials have expressed concern that these products may be part of a tactic known as brushing. Blushing is sending products (often counterfeits) to unsuspecting individuals in order to generate positive reviews in their name.
In response to these reports, CID urged those who received unsolicited smartwatches to take immediate action.
“Do not turn on the device. Report it to your local counterintelligence agency or security manager or through the ‘Submit a Tip – Crime Reporting Portal,'” CID warned last week.
According to Melissa Bishopping, Tanium’s director of endpoint security research, this technique allows attackers to randomly leave malicious USB devices so that curious victims can connect to them. said to be similar.
“This ‘surprise smartwatch’ tactic takes advantage of the same human curiosity to give attackers access to some of the most sensitive personal information,” Bishopping added.
“As the saying goes, if it’s too good, it probably is. If you’re not paying for the product, you’re the product.”
Gareth Lindahl-Wise, CISO of Ontinue, echoed Bishopping’s allegations, saying that the danger of fitness trackers exposing the locations of military personnel and facilities was seen in the final stages of the Afghanistan conflict.
“A large amount of personal information such as emails, chats, location information, banking information, etc. can be leaked. […] This can compromise personal and corporate accounts. Such unsolicited “sweets” must be reported and dealt with appropriately. ”
