Share this article on:
The US Army’s Criminal Investigation has warned service members to beware of receiving unsolicited gifts of a certain make of smartwatch.
The CID is concerned that the watches — which automatically connect to Wi-Fi and can make unprompted connections to smartphones — could well contain malware capable of accessing login details and contacts and even access voice and camera functions on any connected device.
CID also believes the free smartwatches could be part of a “brushing” campaign, wherein counterfeit products are sent to random individuals, whose names are then attributed to fake reviews of the product.
But while the CID’s own press release merely considers the presence of malware to be a possibility, the flyer it is distributing to servicemembers is more definite on the presence of malicious software.
“Malware is also present which accesses both voice and cameras,” the flyer read, “enabling actors access to conversations and accounts tied to the smartwatches”.
The CID is recommending that servicemembers who receive a free watch do not turn it on, and report the incident to their manager or to counterintelligence.
CID has not yet reported who might be behind the smartwatch mailing campaign.
The flyer also has the name and images of the possibly infected device, a budget D18 smartwatch that is available online from a number of vendors, including Australian grey market retailers such as Kogan. It’s also available from AliExpress and was for sale on Amazon, where it is listed as being manufactured by a company called DABENXIANG.
Two of the reviews on Amazon are already calling out the US military’s warnings.
However, it’s unclear if these watches are exactly the same model, with the same possibility for malware.
Spreading malware-infected devices so that unsuspecting victims might find them and innocently insert them into a networked device. USB dropping campaigns are a similar method, wherein infected USB keys are left in places such as parking lots or cafeterias.
The infamous Stuxnet worm was first deployed via a USB drop. The malware on the device was targeted at a raft of Iranian industrial sites but spread far beyond its initial targets. Originally aimed at destroying the centrifuges involved in the production of weapons-grade uranium, but went on to infect devices all over the world, including in the United States.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.