back to article $17 smartwatch sends something to random Chinese IP address

A cheap smart watch often peddled on eBay uses a pairing app for Android or iOS that contains a backdoor that quietly connects to an unknown Chinese IP address. The U8 watch sells for just US$17 and offers a 1.48" touch screen, Bluetooth to connect to either Android or IoS phones and the ability to make or answer calls. The …

  1. Anonymous Coward
    Anonymous Coward

    Optional

    "If you are worried about fragmentation of Android, just take a look at smart watches," he says.

    Seriously? There are about 6 Android Wear watches , if you think that the Gear 2 (Tizen) or Apple Watch run Android you are not a trusted source...

    1. AndyS

      Re: Optional

      >If you are worried about fragmentation of Android

      I'm not. It doesn't worry me any more than the fragmentation of the car market, or the fragmentation of the fruit & veg market. I mean, I like the choice of 6 different types of lettuce.

      1. Electron Shepherd
        Coat

        Re: Optional

        I like the choice of 6 different types of lettuce.

        Well, I for one, don't. Why? Just cos.

        1. bowdie

          Re: Optional

          @Electron Shepherd

          I'm sure it's just the tip of the iceberg.

          1. Antonymous Coward
            Pint

            Re: Optional

            Oh, what tangled Webbs we weave, when first we practise to deceive.

          2. Alien8n

            Re: Optional

            @Bowdie Lettuce hope so

        2. Kane
          Thumb Up

          Re: Optional@Electron Shepherd

          handclap.gif

        3. John H Woods Silver badge

          Re: Optional

          "Well, I for one, don't. Why? Just cos." -- Electron Shepherd

          LOLLO

        4. Simon Harris

          Re: Optional

          I think I'm going to romaine on the sidelines for this debate.

        5. kmac499

          Re: Optional

          What a little Gem of a comment..

    2. Andy Nugent

      Re: Optional

      I think he's suggesting that smart watches are fragmented, not Android based smart watches.

      We have an Android app that users have asked for smart watch support, and we've not done it as there isn't enough demand to justify implementing it on Tizen, Android, Pebble, etc. and there isn't a clear leader in that pack that we'd pick over the others. I don't imagine we're alone in thinking that among Android app developers.

      1. Doctor Syntax Silver badge

        Re: Optional

        "I think he's suggesting that smart watches are fragmented"

        It's surprising what you can achieve with even a small hammer.

    3. Kirstian K
      Coat

      Re: Optional

      Give them time

      and they will all become watches in the end....

  2. allthecoolshortnamesweretaken

    "If you are worried about fragmentation of Android, just take a look at smart watches," he says.

    If you are worried about smart watches, just take a look at all the IoT crap, I say.

    1. Known Hero

      what's wrong with IOT they have 25 different standards to pick from !!

  3. Doctor Syntax Silver badge

    "when it was paired, it started communicating outbound over a random IP address to China. We don't know what the IP address is"

    I think he means a specific IP address and that he hasn't heard of whois.

    1. Youngone Silver badge
      FAIL

      @ Doctor Syntax

      "when it was paired, it started communicating outbound over a random IP address to China. We don't know what the IP address is"

      I vaguely thought that was an odd sentence too.

      If I knew what the IP was I could log into my firewall and block it, so I wonder what it is.

      1. storner
        Boffin

        Why not just geoblock anything in China? No big loss here.

    2. choleric

      Most mobile apps report to random IP addresses in AWS or Apple or Google's cloud, and who knows what happens to the data after that? The fact that this watch reports to a Chinese address maybe just indicates that the opsec of this particular company is particularly poor. You don't have to be Chinese to be a dodgy cracker.

      I remember installing one well reviewed and popular mail/productivity app on Android and discovering that it sent my email password to a cloud server (AWS in this case) and logged into my account from there. At no point in the "read more" blurb, installation instructions or setup was I told this would be happening. Uninstall, change password, block specific IP address, one star review.

  4. davenewman

    crap watch anyway

    The speaker is so quite you cannot hear anything, but after pairing all phone calls come through the watch speaker, not the phone speaker.

  5. hugo tyson

    It's the app that leaks, right?

    But do you need the app to use the watch or is it just like the "drivers CD" you get with every little toy that nobody needs because they're actually standard USB devices? Put another way, if it's a proper BlueTooth device it'll use the standard BT profiles to be remote-control for the phone functions, and not need no steenkin' app.

    Course it could just be checking for updates...

    1. Roq D. Kasba

      Re: It's the app that leaks, right?

      £17 is dangerously close to 'bearing gifts'

      1. David Paul Morgan

        Re: It's the app that leaks, right?

        Beware of leaks bearing gifs?

  6. adnim
    Meh

    I will worry

    when it illegal NOT to use smart TV's, smart watches and IoT devices. Until then meh!

    1. 2460 Something
      Terminator

      Re: I will worry

      By then it will be a mandatory implant which will remove your ability to worry. There will be no 'meh' there will only be obedience.

      1. adnim
        Big Brother

        Re: I will worry

        thanks for making me smile... have an up vote. But surely it will be just newborns that will have this tech implanted. It will be expensive chasing and catching all those middle aged and older persons who resist. You know the ones, those that remember a time when there was privacy.

        1. 2460 Something

          Re: I will worry

          They just offer them a free taco in exchange for having the implant though. There have been anecdotal studies done where researchers offer people a handful of sweets for filling out questionnaires that are asking for all their personal details. A surprising number of people do it without question. In the one I saw the researchers then chatted with the people about personal information security and such forth, but I bet for a few more sweets (or a taco) they would still do it again.

          1. Alien8n

            Re: I will worry

            Watch the TV series Continuum. In that you get implanted if you can't repay your debt to whichever company owns you turning you into a slave making more implants to enslave the next people who can't repay their debts. It's actually a very good satire of capitalism hiding as a science fiction show.

            1. Destroy All Monsters Silver badge

              Re: I will worry

              a very good satire of capitalism

              This is not how capitalism works, comrade.

              1. Anonymous Coward
                Anonymous Coward

                Re: I will worry

                In capitalist west money owns you.

      2. Mike 16

        Re: I will worry

        "The President's Analyst" http://www.imdb.com/title/tt0062153/

        I would add my rationale for replying this way, but that would be a spoiler.

        Keep an eye out for Bedouins.

        1. John Styles

          Re: I will worry

          An excellent and unjustly little known film.

  7. Anonymous Coward
    Anonymous Coward

    U8 is bluetooth

    It is like saying that a BT speaker system is Android.

    Ift he U8 does not work with IOS then it is likely Apple only wants you buying their £300 watch, not because there is no dodgy China app that works for this, as cheap as £10, watch!

    1. Steve Davies 3 Silver badge

      Re: U8 is bluetooth

      Perhaps the U8 app can't get accepted into the App Store? There are apps for other wearables in the store. eg fitbit.

  8. Zippy's Sausage Factory
    Trollface

    I can fragment that smart watch for you...

    The same way the cat fragmented my non-smart watch this morning: a tile floor, a table and a sudden stop at the bottom :)

    1. Camilla Smythe

      Re: I can fragment that smart watch for you...

      Bless. You should buy your cat a toy mouse to play with and leave that on the table as well.... to be promptly ignored as Fluffykins uses subconscious Cat Powers honed over aeons of evolution in order to identify the most expensive thing to break play with...

  9. Francis Boyle Silver badge

    I think I'll buy one

    and keep the PLA busy watching the accelerometer data trying to work out if I'm watching porn. When the Chinese regime falls you'll have me to thank.

    1. JeffyPoooh
      Pint

      Re: I think I'll buy one

      "...watching the accelerometer data trying to work out if I'm watching porn."

      Send them accelerometer data that integrates to something like ~35cm of apparent motion.

      1. Inventor of the Marmite Laser Silver badge

        Re: I think I'll buy one

        @ JeffyPoooh

        Dickhead (See what I did there?)

    2. Boothy
      Mushroom

      Re: I think I'll buy one

      If it sends back GPS data, how about spoofing the location to make it look like you are heading for China?

      If you can figure out the unique watch ID (assuming they have one), then you could spoof all the watches, and make it look like all the watch owners are heading for China.

      If you could physically locate the phone home IP, then you could have everyone heading there :-)

      Icon, well you never know...

  10. cd

    Who wouldn't trust "an IP address scrawled on a piece of paper" ?

    1. Phil W

      "Who wouldn't trust "an IP address scrawled on a piece of paper" ?"

      Apparently not most of the people who actually use one of those watches, which I guess is not an insignificant number of people. (Though who knows how many buy them, see the scrawled URL and immediately return/bin the watch).

      I'd be extremely dubious about downloading an app that could only be acquired from a URL and not via any of the major Android appstores, especially if said URL did not belong to a major known company.

      I wouldn't even consider one that gave a URL in the form of an IP address rather than an actual domain name.

  11. cptskippy

    It's like ya'll have never heard of automatic cloud backup.

    1. Destroy All Monsters Silver badge
      Alert

      This is when a massive cloud backs up into you and you perform a squishy sound just before dropping your dox.

      We need a fscking "cloud!" icon

      1. John Brown (no body) Silver badge

        "We need a fscking "cloud!" icon"

        I was thinking a nice dark cloud icon with lightening bolts coming out it.

        Now, what icon should we have for DevOps?

  12. nilfs2
    Coat

    And the NSA sniffes all the intenet traffic

    Nothing new here, just another snoop, please keep moving

  13. razorfishsl

    This is nothing new, any item purchased from China stores or addresses , that has the capability to connect to the internet also has the same sort of issues.

    You should see what goes on in thier TV boxes......

  14. David Nash Silver badge

    "buyers download the pairing app from an IP address scrawled on a piece of paper that comes with the u8 watch."

    This is the problem, clearly.

  15. FuzzyWuzzys
    Facepalm

    So an electronic device bought from some random seller on eBay turns out to be communicating to some unknown server on the Internet....and people are surprised?!

    Tell you what, why not buy second hand door and window locks off eBay too...cos there's no danger of anything dodgy happening there, like the keys having been copied and the seller then having your home address which they posted the locks to you!

  16. Seajay#

    Don't all of them do this?

    Apple watches connect to Apple. Seems legit, checking for updates, syncing my settings, usual app phoning home telemetry stuff, etc.

    Samsung watches connect to Samsung. Same deal, of course that's what you'd expect.

    Chinese watch connects to China. ZOMG hackers!!

    Says a lot about our relationship with China. Possibly it also says a lot about our unjustified trust in the big tech companies that we're not worried about the first two.

  17. Anonymous Coward
    Thumb Down

    Have you MITM'd your phone?

    All you "I don't worry" losers ... you'd better be PERFECT government, compliant, 'do-as-you're-told' citizens.

    I am not, nor do I intend to be. Fuck NSA, FBI, GHCQ, Mossad, खुफिया विभाग, ASIS, and the rest of them! I know I'm on a list; couldn't give a shit less.

  18. mjruk

    Price?

    $17 for a smartwatch is just too good to be true. I would immediately think that there was a catch.

  19. fictiva

    Shenzen?

    When I look at their manual (http://www.u8watch.net/U8-usermanual-en.pdf ) and install the 'BT Notification.apk' - connects to: APK Access mode:Downloaded from Web address

    IP Address: http://www.chrsz.com which is 116.204.15.137. http://www.chrsz.com/classpro/index/183

    a geolocation of that ip shows it to be: Shenzhen, China. which would be Shenzhen Coheretech Co., Ltd.

    I wonder if thats where the connections are headed to: http://ipinfo.io/AS17962

  20. Anonymous Coward
    Anonymous Coward

    All your beats belong to us...

    opt in of course ...

  21. gizmomelb

    well I'm curious if after this ''alert'' about the app sending data to China, if anyone has disassembled the apps (or is it the phone OS itself sending the data?) to see just what and where it is sending data?

    ie: it's one thing to cry about a security issue, but where is the investigation and backup to support the allegation please?

    I'm certainly not going to install a third party APK on my mobile and quite frankly some of the mediatek smartwatch apps on google play look dodgy as well, so I'd prefer to find out more info first.

    If the watch OS itself is the culprit then bring on a self build OS so I can flash the watch and be reasonably secure in the knowledge that it isn't doing anything dodgy.

    thank you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like