The U.S. Army's Criminal Investigation Division (CID) is urging military personnel to be on the lookout for unsolicited, suspicious smartwatches in the mail, warning that the devices could be rigged with malware.
According to a CID press release: "Service members across the military have reported receiving smartwatches unsolicited in the mail. These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data."
Here are some comments from cybersecurity vendor experts:
Melissa Bischoping, Director of Endpoint Security Research at Tanium:
"Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in. This 'surprise smartwatch' tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information. As the adage goes, if it's too good to be true, it probably is, and if you're not paying for the product, you are the product. In this economy, no one is sending out free gadgets for funsies, so the arrival of an unexpected package should raise suspicions and warrant investigation into the authenticity or identity of the sender. Best case? Someone sent you a birthday gift and forgot to include a card. Worst case? You're compromising your personal and/or professional data with malware."
Gareth Lindahl-Wise, CISO at Ontinue:
"This is not unlike the old technique of leaving a USB stick on the floor and hoping someone would plug it into their laptop. The ability of a smartwatch to deeply interact with a paired mobile device should be of great concern. The dangers of fitness trackers (such as Fitbit and Strava) disclosing the location of military personnel and installations was seen towards the end of the Afghan conflict. A wealth of personal information, such as emails, chats, location, and banking information, could be exposed. But also consider the exposure of authentication apps, many of which can be used on smartwatches—which could lead to personal and corporate account compromise. These unsolicited 'goodies' must be reported and dealt with appropriately."
[RELATED: 4 Security Risks of Using Wearables for Work]
Casey Ellis, Founder and CTO at Bugcrowd:
"Trojan horses aren't a new idea, but this attack is remarkable to me because of the combination of its scale, its brazenness, and the associated costs."
More from the press release:
"These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords.
Malware may be present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches.
These products may also be used for Brushing. This is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail in order to allow companies to write positive reviews in the receiver's name allowing them to compete with established products."
If military personnel receive such a device, they should NOT turn it on but instead report it to their local counterintelligence agency, security manager, or the "Submit a Tip - Report a Crime" reporting portal (only accessible by military personnel).
