Malware-Infected Watches Are the New USB Thumb Drive for Social Engineers
Alert to military service members: Have you received an unsolicited smartwatch in the mail? If so, whatever you do, don’t power it on, and do report it to your counterintelligence or security manager.
So warned the U.S. Army’s Criminal Investigation Division, which said it has received a number of reports from military personnel that they’ve been receiving unsolicited, free smartwatches. The devices do more than just tell the time, measure your heart rate and count footsteps.
“These smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cellphones unprompted, gaining access to a myriad of user data,” the CID’s alert says.
“Malware is also present which accesses both voice and cameras, enabling actors access to conversations and accounts tied to the smartwatches,” the alert says, adding that the watches may also contain malware that has the ability to grab usernames and passwords as well as banking information.
Cybersecurity experts know there’s no such thing as a free lunch, especially when it comes to digital devices. Find a “free” USB thumb drive, and the suspicion for anyone who’s been in this field long enough will be not whether it contains malware, but how many different types and will they auto-run if the device gets plugged into a PC?
Unfortunately for network defenders, people who don’t get paid to be paranoid often fall for the “free stuff” ruse. In 2011, the U.S. Department of Homeland Security ran a test to see how many government employees and private contractors would plug a USB drive they found in their workplace parking lot into their PC.
Bad news, defenders: People who picked up one of the USB devices plugged them in 60% of the time, rising to 90% if the device had an official-looking logo or case, Bloomberg reported.
Such concerns are not theoretical, especially where government networks are concerned. In 2008, a flash drive infected with malware was plugged into a U.S. military laptop in the Middle East, leading to the malicious code infiltrating the U.S. Central Command network. What resulted was described as the “worst breach of U.S. military computers in history.” Officials later said they suspected that the attack had been run by Moscow. The Pentagon’s response to the incident, which was dubbed Operation Buckshot Yankee and remained classified until 2010, led directly to the launch of U.S. Cyber Command to better safeguard government networks.
More than a decade later, attackers continued to wield USB to try and sneak malware onto government and other high-value networks. In January 2022, the FBI warned in a flash alert that businesses in the transportation, defense and insurance sectors were being sent boxes that contained an alleged Amazon gift card and a USB flash drive. Included instructions told recipients to run the executable on the flash drive, saying it contained essential COVID-19 guidance for the U.S. Department of Health and Human Services.
The FBI blamed those attacks on a financially motivated cybercrime group called FIN7 that has been operating since 2013. The group has long wielded malware, including malicious code designed to steal payment card data via point-of-sale attacks. In 2020, the group changed its focus to big game hunting, using ransomware-as-a-service tools such as REvil as well as the group’s own DarkSide, security researchers have reported.
Inexpensive Attack Vectors
Clearly, inexpensive smartwatches appear to be the new USB thumb drive.
From a security standpoint, the irony is that the Chinese-made smartwatches being sent to military personnel, sometimes branded as “LED D18 Smart Watches,” retail for about $5 and likely cost much less when purchased in bulk. Anybody who wanted one would have to pay little to get their own.
What’s not clear is whether military personnel are being directly targeted.
The Army alert refers to brushing, a type of scam used by some e-commerce site sellers, often based in China, to artificially boost their sales by sending unsolicited – and sometimes counterfeit – products to consumers for review and counting the items as having been sold. A study by British consumer watchdog Which? found in 2021 that 1.1 million households in the U.K. have been targeted by brushing.
U.S. military personnel could simply be among the Americans being targeted by what appears to be brushing but is really criminals who have loaded malware onto the devices, likely to try and steal bank account details. Or, they may be getting directly targeted as part of an espionage operation. Even if it’s the former, and foreign criminals obtain sensitive information through malware, the crooks might not hesitate to shop the details to their own intelligence service.
These watches could be “a valuable collection source for a foreign intelligence agency,” ReliaQuest CISO Rick Holland told CNN. “Watches that are then paired with phones could have access to even more data that would be valuable for building profiles on individual soldiers as well as their units.”
The message for anyone who gets an unsolicited wearable or any other digital device in the mail – or finds one in the parking lot of the intelligence agency where they work – remains simple: Don’t sport them; they’re not good for your health.