The US Army’s Criminal Investigation Division (CID) is warning service members to look out for unsolicited smartwatches arriving in the mail, which likely carry risks of malware and allowing unauthorized access to sensitive systems.
When used, the smartwatches are able to auto-connect to the local Wi-Fi network, and can also connect to cellphones, thus allowing access to a user’s data. The snooped information can be private and used to exploit a victim, the advisory warned, and it’s possible that these watches also carry malware that could allow a threat actor to access, save, or transfer data such as banking information, account information, or personal contacts.
“Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in. This ‘surprise smartwatch’ tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information,” said Melissa Bischoping, director of endpoint security research at Tanium, in an emailed comment. “As the adage goes, if it’s too good to be true, it probably is, and if you’re not paying for the product, you ARE the product.”
Alternatively, these mystery smartwatches sent from unknown senders could also be used for a practice known as “brushing,” in which presumably counterfeit products are sent via mail to random individuals so that companies can write positive reviews in the name of the person they sent the product to.
Should anyone, military personnel or otherwise, receive a product such as this, the CID advises recipients not to turn it on and to report it to local counterintelligence, or through its “Report a Crime” portal, where individuals can also submit tips.