Lenovo’s Watch X was widely panned as “absolutely terrible.” As it turns out, so was its security.
The low-end $50 smart watch was one of Lenovo’s cheapest smart watches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didn’t take him long to find several vulnerabilities that allowed him to change user’s passwords, hijack accounts, and spoof phone calls.
Because the smart watch wasn’t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking.
“The entire API was unencrypted,” said Yalon in an email to TechCrunch. “All data was transferred in plain-text.”
The API that helps power the watch was easily abused, he found, allowing him to reset anyone’s password simply by knowing a person’s username. That could’ve given him access to anyone’s account,