Researcher reveals leaky, location-betraying Lenovo Watch X

Lenovo’s cheap and cheerful Watch X wearable has been given both barrels by security researcher David Sopas, who has exposed a number of troubling vulnerabilities. 

As well as the Watch X itself, which would regularly send location data to Lenovo’s servers in China, data sent between the watch and the Android app wasn’t being encrypted, meaning any data sent between the watch, Android app and the web server could be spied on by anyone.

Portugal-based Sopas demonstrated that the Watch X would broadcast his location with surprising accuracy, sending out coordinates. The researcher also demonstrated that it would be remotely easy to hack the device, if they happened to be on the same network. Even registering for an account on the Lenovo Watch X wasn’t protected by HTTPS, meaning anyone on that network could launch a man-in-the-middle attack, and scoop up usernames, email addresses and passwords.

Less worryingly, it would also be possible for someone to remotely take control of the watch and set the alarm off and send spoof calls to the user, like this fake call from the ‘NSA’.

“I think the vulnerabilities on the Lenovo Watch X bear looking at – sharing my exact location with a remote server didn’t seem necessary for the Watch X to function as designed,” Sopas said. “It’s also a violation of my privacy, and clearly shares [personally identifiable information]. Encrypting communication between the Watch X, Android app, and the web server would help reduce the impact these issues, and it is basically best practice.”

Failing to properly safeguard data which could identify someone, personally identifiable information, or PII, can, in the event of a data breach, lead to heavy fines under the EU General Data Protection Regulation (GDPR). There is no suggestion, however, that a breach has happened as a result of the Watch X or the app not encrypting data. 

A Lenovo spokesperson sent Trusted Reviews the following statement: “The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China.

“Our PSIRT [Product Security Incident Response Team] team has been working with the ODM [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”

While the device might not have been intended to find an audience outside of its native market, which would explain why it kept passing information to Chinese servers, we were able to find some on Amazon UK (sold by none other than Lenovo itself).

The Lenovo Watch app Sopas mentions in his report was also absent from the Google Play app store at the time of writing – presumably, this will be reinstated by the time that security patches have rolled out.

Watch do you think about the Watch X watching its users? Let us know on Twitter, via a heavily encrypted VPN, at @TrustedReviews.