Lenovo Watch X, launched last year as an affordable smartwatch for users in China. It was mainly designed to attract budget smartwatch segment users. Despite its low price tag, it was not well received by users due to various flaws in it. As per users, the performance of the watch was not as per the expectations. Well, in addition to the performance, its security has also been out an order with various bugs and issues as revealed by a researcher.
Erez Yalon, head of security research at Checkmarx has revealed that there are many severe bugs in the Lenovo Watch X. There are several vulnerabilities in the watch which can allow attackers to get hold of confidential information. It can even trigger the hijacking of accounts and spoofing of phone calls. Erez has further added that the hacker can change users’ password and can steal all data on the watch.
In total, there are six vulnerabilities which undermine the privacy and security of the users. As per the Erez Yalon, the watch was using unencrypted communication to send confidential data to the server. There’s was no encryption on the data being communicated between the servers and the device. He even tested by entering his email and password on the watch. Later, he intercepted the same information which went to the server in unencrypted plain text. He addressed that “The entire API was unencrypted, All data was transferred in plain text.”
The usage of plain text can allow sniffer to track any user with the Watch’s location data (latitude and longitude) being sent over to the server. Even though, there’s no validation check on the password reset request, allowing to change the password without any confirmation email.
Lenovo Watch X wrong permissions can allow attackers to see the incoming calls log. Moreover, a write permission policy can let anyone send the command to the watch. It can trigger any action on the watch which is a matter of concern for its users.
It is quite easy and simple to sniff the LG Watch X said Yalon. Further, he noted that the number of permissions on Watch X could lead to more severe security issues. In order to fix the bugs and consolidate the security issues, Yalon has recommended a few things. He said encrypted data would prevent a couple of security issues on the App. Further, fixing API permission can eliminate most of the vulnerabilities.
- read More: Lenovo Z5 Pro is now available through open sale in China, price starts at 1998 Yuan ($294)
Although, in response to the recent research by Erez Yalon, Lenovo said that they are pushing an update. In actual, Lenovo spokesperson Andrew Baron quoted, “The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China. Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”
(Via)
