A common tactic for cybercriminals is to distribute storage drives, phones, or other internet-connected devices filled with hidden malware to hack victims and steal their information. Although smartwatches have not been known for major security breaches so far, they carry many of the same vulnerabilities as other IoT products and warrant a similar degree of caution. A recent InfraGard brief by DHS cautioned the use of Smartphones and being vulnerable to malware.
The US Army’s Criminal Investigation Division (CID) is urging military personnel to be on the lookout for unsolicited, suspicious smartwatches in the mail, warning that the devices could be rigged with malware. The CID reports that the smartwatches have automatically connected to Wi-Fi networks and smartphones independent of user prompts upon activation, indicating that they could be an attempt to infiltrate networks belonging to military personnel. Although no one has confirmed that the devices contain malware or are collecting and sending information, that remains a distinct possibility.[1]
The US Naval Criminal Investigative Service is investigating after multiple Navy personnel reported receiving unsolicited smartwatches in the mail that could be installed with data-stealing malicious software, an NCIS spokesperson reported.
In an alert issued on 23 June 2023, the army said services members across the military have reported receiving smartwatches unsolicited in the mail and noted that the smartwatches, when used, “have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data. These smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords. Malware may be present which accesses both voice and cameras, enabling threat actors access to conversations and accounts tied to the smartwatches.
What is unclear, is whether this is an attack targeting American military personnel. The smartwatches the investigation division noted, may also be meant to run illegal brushing scams. Brushing is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail to allow companies to write positive reviews in the receiver’s name allowing them to compete with established products.
Service members receiving any of these electronic devices are advised to keep them turned off and to report the incident to local counterintelligence, security manager, or directly to CID, NCIS.
In 2018, the Pentagon restricted military troops at sensitive bases or certain high-risk war zone areas from using fitness-trackers or mobile applications that could reveal their location, after news broke that mobile fitness apps Polar and Strava had revealed location data on thousands of military and intelligence members from the US and allied forces. “Junior-enlisted members of the military don’t make a ton of money, so getting a free smartwatch in the mail would certainly be exciting for many,” Rick Holland, an Army veteran and cybersecurity executive stated.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://www.securityweek.com/us-military-personnel-receiving-unsolicited-suspicious-smartwatches/
Comments