Lenovo’s Watch X was widely panned as “absolutely terrible.” As it turns out, so was its security.
The low-end $50 smartwatch was one of Lenovo’s cheapest smartwatches. Available only for the China market, anyone who wants one has to buy one directly from the mainland. Lucky for Erez Yalon, head of security research at Checkmarx, an application security testing company, he was given one from a friend. But it didn’t take him long to find several vulnerabilities that allowed him to change user’s passwords, hijack accounts and spoof phone calls.
Because the smartwatch wasn’t using any encryption to send data from the app to the server, Yalon said he was able to see his registered email address and password sent in plain text, as well as data about how he was using the watch, like how many steps he was taking.
“The entire API was unencrypted,” said Yalon in an email to TechCrunch. “All data was transferred in plain-text.”
The API that helps power the watch was easily abused, he found, allowing him to reset anyone’s password simply by knowing a person’s username. That could’ve given him access to anyone’s account, he said.
Not only that, he found that the watch was sharing his precise geolocation with a server in China. Given the watch’s exclusivity to China, it might not be a red flag to natives. But Yalon said the watch had “already pinpointed my location” before he had even registered his account.
Yalon’s research wasn’t just limited to the leaky API. He found that the Bluetooth-enabled smartwatch could also be manipulated from nearby, by sending crafted Bluetooth requests. Using a small script, he demonstrated how easy it was to spoof a phone call on the watch.
Using a similar malicious Bluetooth command, he could also set the alarm to go off — again and again. “The function allows adding multiple alarms, as often as every minute,” he said.
Lenovo didn’t have much to say about the vulnerabilities, besides confirming their existence.
“The Watch X was designed for the China market and is only available from Lenovo to limited sales channels in China,” said spokesperson Andrew Barron. “Our [security team] team has been working with the [original device manufacturer] that makes the watch to address the vulnerabilities identified by a researcher and all fixes are due to be completed this week.”
Yalon said that encrypting the traffic between the watch, the Android app and its web server would prevent snooping and help reduce manipulation.
“Fixing the API permissions eliminates the ability of malicious users to send commands to the watch, spoof calls, and set alarms,” he said.
Respawn will premiere its ‘Star Wars’ game on April 13th
After years of work, Respawn is nearly ready to show what its Star Wars game is all about. Lucasfilm has announced that EA and Respawn will formally reveal Star Wars Jedi: Fallen Order at a Celebration Chicago panel on April 13th. The two are unsurprisingly shy about details, but you’ll meet a Padawan who survived Order 66 (the command to exterminate the Jedi) and experience what it’s like to live in an era where there are seemingly no Jedi left. You can expect “never-before-released” details of the game, Lucasfilm said, which isn’t hard when the game is largely a secret.
Spotify launches in India – TechCrunch
The Daily Crunch is TechCrunch’s roundup of our biggest and most important stories. If you’d like to get this delivered to your inbox every day at around 9am Pacific, you can subscribe here.
Just for India, Spotify users who do not pay for a subscription can play any song on demand on mobile. There are also playlists for India and a “Starring…” feature that includes music from Bollywood movies.
“Not only will Spotify bring Indian artists to the world, we’ll also bring the world’s music to fans across India,” said Spotify CEO Daniel Ek.
This isn’t necessarily a precursor to some big action like breaking up a big company or imposing rules or anything like that. It seems more like a recognition that the FTC needs to be ready to move quickly and decisively in tech matters.
Against a backdrop of public backlash and looming federal regulations, the world’s biggest e-cigarette manufacturer has released video of the original thesis presentation that launched the company.
After years of prototypes, the age of foldables has finally arrived.
With the latest improvements, developers can use the machine to solve larger problems with fewer physical qubits — or larger problems in general.
Some thoughts from the former SVP of Walmart’s global e-commerce supply chain.
Cracks are starting to appear in Steam’s armor, threatening to make it the digital equivalent of GameStop — a once unassailable retail giant whose future became questionable when it didn’t successfully change with the times. (Extra Crunch subscription required.)
FTC ruling sees Musical.ly (TikTok) fined $5.7M for violating children’s privacy law, app updated with age gate – TechCrunch
A significant FTC ruling issued today will see video app TikTok fined $5.7 million for violating U.S. children’s privacy laws, and will impact how the app works for kids under the age of 13. In an app update being released today, all users will need to verify their age, and the under 13-year-olds will then be directed to a separate, more restricted in-app experience that protects their personal information and prevents them from publishing videos to TikTok .
In a bit of bad timing for the popular video app, the ruling comes on the same day that TikTok began promoting its new safety series designed to help keep its community informed of its privacy and safety tools.
The Federal Trade Commission had begun looking into TikTok back when it was known as Musical.ly, and the ruling itself is a settlement with Musical.ly.
The industry self-regulatory group Children’s Advertising Review Unit (CARU) had last spring referred Musical.ly to the FTC for violating U.S. children’s privacy law by collecting personal information for users under the age of 13 without parental consent. (The complaint, filed by the Department of Justice on behalf of the Commission, is here.)
But its regulatory issues followed it to its new home.
According to the U.S. children’s privacy law COPPA, operators of apps and websites aimed at young users under the age of 13 can’t collect personal data like email addresses, IP addresses, geolocation information or other identifiers without parental consent.
But the Musical.ly app required users to provide an email address, phone number, username, first and last name, a short biography and a profile picture, the FTC claims. The also app allowed users to interact with others by commenting on their videos and sending direct messages. In addition, user accounts were public by default, which meant that a child’s profile bio, username, picture and videos could be seen by other users, the FTC explained today in its press release.
It also noted that there were reports of adults trying to contact children in Musical.ly, and until October 2016 there was a feature that let others view nearby users within a 50-mile radius.
“The operators of Musical.ly—now known as TikTok—knew many children were using the app but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13,” said FTC Chairman Joe Simons, in a statement. “This record penalty should be a reminder to all online services and websites that target children: We take enforcement of COPPA very seriously, and we will not tolerate companies that flagrantly ignore the law.”
COPPA law, of course, becomes a bit complex to implement for apps like TikTok that sit in a gray area between being oriented toward adults and being aimed at kids. Specifically, apps preferred by tweens and teens — like Snapchat, Instagram, YouTube and TikTok — are often clamored for by younger, under-13 kids, and parents often comply.
But some parents are caught off guard by these apps. The FTC says Musical.ly had fielded “thousands of complaints” from parents because their children under the age of 13 had created Musical.ly accounts.
In addition to the $5.7 million fine, the FTC settlement with Musical.ly includes an agreement that will impact how the TikTok app operates.
It says TikTok is now considered a “mixed audience” app, which means there needs to be an age gate implemented on the app. Instead of locking out under-13 users from the TikTok service, younger users will be directed to a different in-app experience that restricts TikTok from collecting the personal information prohibited by COPPA.
TikTok is also complying with the ruling by making significant changes to its app. It will now restrict under-13 kids from being able to film and publish their videos to the TikTok app. It will also take down all videos from kids under 13.
Instead, the under-13 crowd will only be able to like content and follow users. They will be able to create and save videos to their device — but not to the public TikTok network. Nor can they share videos on the app with their friends if they use TikTok via a private account.
As TikTok already has a large number of younger kids on its app, it will push an app update today that displays the new age gate to both new and existing users alike. Kids will then need to verify their birthday in order to be directed to the appropriate experience.
This is not likely going to have an impact on how many kids use TikTok, however. Kids today already know to lie to age pop-ups so they can enter a restricted app. That’s how they set up accounts on Facebook, Instagram, Snapchat and elsewhere.
However, the move at least puts TikTok on a level playing field with other “mixed audience” apps instead of allowing it to pretend U.S. children’s privacy laws do not exist.
TikTok reportedly has been installed a billion times worldwide, according to recent data from Sensor Tower. The company doesn’t publicly disclose its figures, but the FTC says since 2014, more than 200 million users had downloaded the Musical.ly app worldwide, with 65 million accounts registered in the United States.
The Commission vote to authorize the staff to refer the complaint to the Department of Justice and to approve the proposed consent decree was 5-0. Commissioner Rohit Chopra and Commissioner Rebecca Kelly Slaughter issued a separate statement, shared below:
The Federal Trade Commission’s action to crack down on the privacy practices of Musical.ly, now known as TikTok, is a major milestone for our Children’s Online Privacy Protection Act (COPPA) enforcement program. Agency staff uncovered disturbing practices, including collecting and exposing the location and other sensitive data of young children. In our view, these practices reflected the company’s willingness to pursue growth even at the expense of endangering children. The agency secured a record-setting civil penalty and deletion of ill-gotten data, as well as other remedies to stop this egregious conduct. This is a big win in the fight to protect children’s privacy.
This investigation began before the current Commission was in place. FTC investigations typically focus on individual accountability only in certain circumstances—and the effect has been that individuals at large companies have often avoided scrutiny. We should move away from this approach. Executives of big companies who call the shots as companies break the law should be held accountable.
When any company appears to have a made a business decision to violate or disregard the law, the Commission should identify and investigate those individuals who made or ratified that decision and evaluate whether to charge them. As we continue to pursue violations of law, we should prioritize uncovering the role of corporate officers and directors and hold accountable everyone who broke the law.
Huckabee lashes out at Trump critic Romney: ‘Makes me sick’ you could have been POTUS
Lorraine Warren dies at 92; paranormal investigator inspired ‘The Conjuring’ films
NFL’s Danny Amendola lashes out at ex Olivia Culpo after reports of her getting cozy with Zed
CNN wanted accusations against Trump to be true, White House spokesman says
Seagram’s heiress Clare Bronfman pleads guilty to conspiracy charges in NXIVM sex cult case
Adele and husband, Simon Konecki, have separated: report
NHL roundup: Lightning overwhelm Devils
Tiger Woods surges up leaderboard at WGC-Mexico Championship
Bucks vs. Warriors – Game Summary – November 8, 2018
ChargePoint gives Europe equal billing in electric car grid plan
‘Avengers,’ ‘Captain America’ star Hayley Atwell nude photos hacked: report
‘Fantastic Beasts’ flies to top of weekend box office
- Huckabee lashes out at Trump critic Romney: ‘Makes me sick’ you could have been POTUS
- Lorraine Warren dies at 92; paranormal investigator inspired ‘The Conjuring’ films
- NFL’s Danny Amendola lashes out at ex Olivia Culpo after reports of her getting cozy with Zed
- CNN wanted accusations against Trump to be true, White House spokesman says
- Seagram’s heiress Clare Bronfman pleads guilty to conspiracy charges in NXIVM sex cult case
Like Us On Facebook
Entertainment1 day ago
Rob Gronkowski’s girlfriend Camille Kostek goes ‘wild & free’ in Instagram photo
Politics2 days ago
Read the Robert Mueller report
Politics2 days ago
It’s Mueller time, at last
Politics2 days ago
AG William Barr speaks about Mueller report ahead of its release — live blog
Politics16 hours ago
Biden to take the plunge on Wednesday
Politics12 hours ago
Romney says Mueller report left him ‘sickened at the extent and pervasiveness of dishonesty and misdirection’
Politics1 day ago
‘The Five’ debate ‘collusion’ in Mueller report
Politics1 day ago
Clapper: Mueller couldn’t find ‘active collusion’ but there was ‘passive collusion’