The U.S. Department of the Army Criminal Investigation Division (CID) has warned about unsolicited smartwatches mailed to US military service members by unknown senders.
The Army CID highlighted the cybersecurity risks posed by the peculiar smartwatches, urging service members to avoid interacting with the devices.
Location-enabled smart devices and apps have leaked military personnel’s location in the past, prompting their restriction in protected areas.
US military service members warned against turning on mysterious smartwatches
The Army CID has warned service members against powering on the smartwatches that auto-connect to Wi-Fi and pair with cell phones unprompted, potentially accessing a myriad of user data.
The smartwatches could “contain malware that would grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords,” the Army CID warned.
Similarly, they could gain access to audio devices and cameras, allowing threat actors to access conversations and accounts linked to smartwatches.
The Army CID also suggested that the smartwatch gifts could be part of a business strategy called “Brushing,” a practice that violates the Federal Trade Commission regulations. The seller apparently sends products, often counterfeit, unsolicited, to influence a company to write positive reviews, allowing them to compete with established products.
Either way, the criminal investigative body warned that the dubious smartwatches posed significant security risks to the recipients and the US military.
The military investigators advised service members to report such gifts to their local counterintelligence units.
“Do not turn the device on. Report it to your local counterintelligence, security manager, or through our Submit a Tip – Report a Crime reporting portal,” the advisory insisted.
However, the potentially trojanized smartwatch gifts could tempt some averagely-paid junior US military service members into keeping them.
The Army CID did not disclose the scope of the campaign, but an undisclosed number of US military service members across the military have reported receiving smartwatches unsolicited in the mail.
When contacted, US military officials declined to divulge more information, including potential culprits and the motive behind the dubious gift watches, citing an ongoing investigation. However, the campaign bears the hallmarks of a state-sponsored counterintelligence operation.
Acknowledging the possibility of spying via infected smartwatches, NCIS spokesperson Jeff Houston confirmed to CNN that US military personnel receive the necessary counterintelligence training to address such situations.
Location-enabled smart devices pose significant security risks to US military operations. In 2018, Pentagon banned fitness trackers after discovering that fitness tracking apps Polar and Strava were leaking US military and intelligence personnel’s location data.
A page out of a hacker’s old playbook
Although using smartwatches to spread malware is a relatively new tactic, hackers have used unsolicited gifts to achieve the same objective in the past.
In 2020, FIN7 hackers gifted several businesses infected USB drives that downloaded and installed backdoors when connected to computers.
Similarly, hackers have exploited human curiosity by leaving infected USB drives strategically for victims to find and plug in, thus triggering malware installation.
In late 2022, a Chinese state-sponsored APT Camaro Dragon infected a European healthcare institution using an infected USB drive.
Security professionals have used the “lost” USB flash drive or “Rubber Ducky” to test employees’ security awareness, sometimes with astonishing results.
“Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in,” said Melissa Bischoping, Director, Endpoint Security Research at Tanium. “This ‘surprise smartwatch’ tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information.”
However, Gareth Lindahl-Wise, CISO at Ontinue, noted that a trojanized smartwatch posed a more significant security threat than a planted malicious USB drive because the hacker could deeply interact with the paired device remotely.
“This is not unlike the old technique of leaving a USB stick on the floor and hoping someone would plug it into their laptop,” Lindahl-Wise said. “The ability of a smartwatch to deeply interact with a paired mobile device should be of great concern.”
