Service members across the US military have reported receiving smartwatches unsolicited in the mail.
These smartwatches have Wi-Fi auto-connect capabilities and can connect to cell phones unprompted, gaining access to user data.
According to the US Criminal Investigation Division (CID), the smartwatches may also contain malware granting the sender access to saved data, including banking information, contacts and account information such as usernames and passwords.
Additionally, the presence of malware could enable unauthorized access to voice and camera functions, potentially compromising conversations and accounts linked to the smartwatches.
Read more on this type of malware: SpinOk Trojan Compromises 421 Million Android Devices
Officials have raised concerns that these products may be part of a tactic known as Brushing, which involves sending products, often counterfeit, to unsuspecting individuals in order to generate positive reviews in their name.
In response to the reports, CID urged recipients of unsolicited smartwatches to take immediate action.
“Do not turn the device on. Report it to your local counterintelligence, security manager, or through our Submit a Tip – Report a Crime reporting portal,” CID warned last week.
According to Melissa Bischoping, director of endpoint security research at Tanium, the technique is akin to attackers leaving random malicious USB devices around for curious victims to plug in.
“This ‘surprise smartwatch’ tactic leverages the same human curiosity and grants a threat actor access to some of your most sensitive personal information,” Bischoping added.
“As the adage goes, if it’s too good to be true, it probably is, and if you’re not paying for the product, you are the product.”
Gareth Lindahl-Wise, CISO at Ontinue, echoed Bischoping’s point, saying the dangers of fitness trackers disclosing the location of military personnel and installations were seen towards the end of the Afghan conflict.
“A wealth of personal information, such as emails, chats, location and banking information could be exposed […] which could lead to personal and corporate account compromise. These unsolicited ‘goodies’ must be reported and dealt with appropriately.”