
$17 smartwatch sends something to random Chinese IP address - munkiepus
http://www.theregister.co.uk/2016/03/02/chinese_backdoor_found_in_ebays_popular_cheap_smart_watch/
======
forgottenpass
No different than sending data to a random us-east-1 IP address.

In this case there just aren't any English speakers to show up in the press
and spit sophistry about how a stopwatch app needs to exfiltrate your entire
contacts book for business reasons and "you clicked OK so fuck you."

~~~
ApplaudPumice
Don't forget that the Chinese (or any other country) are terrorists.

~~~
forgottenpass
You're right. Even though I aimed my criticism at a market that is
unreasonably trusting of locals, I think the reason this is news is fueled by
distrust of the Chinese in specific and foreigners in general.

Dunno why you're so downvoted. Is the HN audience too thick to see your point,
or was it using language too close to IRL politics?

------
grantmnz
Had a scare in a data centre once when the UPS started trying to connect to an
IP hosted somewhere in China. Turned out when it did a DNS lookup for the SNMP
server (or something - sorry about hand-waviness) the first response it got
back was an IPV6 address (DNS AAAA record). And since the crappy TCP stack on
the device had no IPV6 support, it was just interpreting the first four bytes
of the AAAA record as an IPV4 address. One of our super smart sysadmins worked
out what was going on and tweaked the DNS to return A record first - problem
solved.

~~~
acveilleux
And that should give you great confidence in the quality of the code in that
UPS and the likeliness that a random IP packet will crash it...

------
envy2
This strikes me as scaremongering: yes, it's possible that this is some soft
of malicious behaviour, but the article provides no evidence of that beyond
"China." It's far more likely that the cheap Chinese smartwatch manufacturer
simply uses servers in China (imagine that!) for collecting diagnostic data or
to provide benign functionality.

~~~
HappyTypist
Yes. Like ntp.

------
trestletech
I'm suspicious that that IP address isn't random at all!

~~~
nmc
Agreed: to me the word _" random"_ makes it seem like the IP address was
randomly generated.

Interestingly enough, the author himself uses the word _" random"_ to describe
the address, but then implies it is indeed unique: _" it didn't resolve to
anything"_.

I believe he really meant "unknown" there, but he is a professional
researcher, so what do I know? I guess we will have to wait for the paper he
mentioned he was writing on the subject.

~~~
DanBC
English use of random to mean "a bit unusual".

[http://www.thefreedictionary.com/random](http://www.thefreedictionary.com/random)

> 3\. informal (of a person) unknown: some random guy waiting for a bus.

It's not great journalism, but this is the register.

~~~
Domenic_S
That usually makes sense when the object in question is fungible -- whether
the person waiting for the bus was Joe or John or Jeff makes no difference.

But it's needlessly confusing to use "random" to describe something that's
represented numerically unless it's mathematically random. "Arbitrary" or
"unknown" is better.

~~~
irremediable
Agreed that it's a bit ambiguous, but in modern British English this usage of
"random" is _really_ common. I didn't even think about the headline until
people started discussing it.

------
roymurdock
From recent KrebsonSecurity article: _This is Why People Fear the Internet of
Things_ [1]

Replace "camera" with "watch":

“The details about how P2P feature works which will be helpful for you
understand why the camera need communicate with P2P servers,” Qu explained.
“Our company deploy many servers in some regions of global world.” Qu further
explained:

1\. When the camera is powered on and connected to the internet, the camera
will log in our main P2P server with fastest response and get the IP address
of other server with low load and log in it. Then the camera will not connect
the main P2P server.

2\. When log in the camera via P2P with Foscam App, the app will also log in
our main P2P server with fastest response and get the IP address of the server
the camera connect to.

3\. The App will ask the server create an independent tunnel between the app
and the camera. The data and video will transfers directly between them and
will not pass through the server. If the server fail to create the tunnel, the
data and video will be forwarded by the server and all of them are encrypted.

4\. Finally the camera will keep hearbeat connection with our P2P server in
order to check the connection status with the servers so that the app can
visit the camera directly via the server. Only when the camera power off/on or
change another network, it will replicate the steps above.”

Nothing inherently malicious about this, unless the vendor is irresponsible
with user data, or collects data it should not be collecting in the first
place.

[1] [http://krebsonsecurity.com/2016/02/this-is-why-people-
fear-t...](http://krebsonsecurity.com/2016/02/this-is-why-people-fear-the-
internet-of-things/)

------
stcredzero
Back in the early 2000's, I bought an off brand broadband router on sale that
turned out to be sending my DNS requests to a server in China.

~~~
simcop2387
One of the reasons that I don't trust anything I can't put my own firmware on.
Security problems, redirecting traffic (I think there was one that would
filter NXDOMAINs to their own search page), playing with DNS, and god knows
what else just make me way too paranoid about it if I can't either examine the
firmware myself or replace it with something I can (openwrt, tomato, ddwrt,
etc.)

~~~
Chris2048
Surely this doesn't protect you if there is hidden code on the chip?

~~~
simcop2387
Of course it doesn't. But that's also detectable by watching traffic on both
sides of the device (with another device entirely). It's also something that's
less likely to happen en-mass in my opinion. Once found it'd completely tank
whatever chip manufacturer that was, as nobody would be able to trust anything
they made anymore. So I'd consider that to be in the realm of protecting
against governmental sized entities instead of the more likely rogue
developers/manufacturers that want to sell ads or botnet time.

------
nkrisc
> Raggo said buyers download the pairing app from an IP address scrawled on a
> piece of paper that comes with the u8 watch.

Sounds legit. Does that not raise any red flags?

~~~
nmc
In the video, the audience laughs at that line. But maybe many buyers would
not.

~~~
r3bl
If I have purchased this model (and I can't say I haven't thought about it
because this model is super popular in my country as I have stated in my
previous comment), even if it costs just $17 (which is not as cheap here as it
is in the US), without being aware that this is needed before buying it, I
would be a bit more open about installing that thing on my phone since I have
already bought it.

Even if it requests a bunch of permissions, I believe that it needs access to
your call logs, SMS etc. as its core functionality since it is, after all, a
smart watch that wants to display to you your notifications and allow you to
react on them.

I would be much more open then if I just stumbled on the app on Google Play
that requires the exact same permissions.

------
contingencies
Beat-up. This is 100% more likely to be just dodgy code than bad intentions:
the article states clearly that their idea of a pairing solution for customers
opening the product box is downloading an app from an IP address without a
domain name. Conclusion: It's just another small hardware operation. If they
wanted to do corporate espionage, they'd make it shiny and iPhone compatible.

~~~
externalmodem
I believe that I own this watch and it didn't ask me to sideload an APK.
Rather, the watch displayed a QR code that pointed me to an app the Google
Play store. There may be something shady going on but the evidence here is not
clear cut.

~~~
themodelplumber
So the question is, how's the watch otherwise? :-)

------
dfc
The article is a little weak on the details. The talk is available on youtube:
[https://www.youtube.com/watch?v=mHQP8mrAYOQ](https://www.youtube.com/watch?v=mHQP8mrAYOQ)

------
HappyTypist
Have they thought it's for syncing the time with NTP? You know, being a watch
and all.

------
r3bl
This thing is _incredibly_ popular in my country. I've started looking at
smart watches half a month ago on the most popular online shopping service in
my country, and most of the results I got were exactly this one (judging from
the screenshot, since most of those selling it don't include no brand info, no
model info, no OS info).

~~~
wepple
if you don't mind; which country & what value do people see in them? I'm new
to all the smart-this smart-that, but know there are likely useful features.

~~~
r3bl
I, personally, have thought about buying this exact same model, because having
a thing on my wrist that I can use to quickly see my notifications and respond
to them seems appealing to me. Plus, it is fairly cheap, so in my head while I
was considering this, I had nothing to lose (notice that I was not aware of it
requesting the installation of an app over HTTP etc.).

Resellers here (Bosnia & Herzegovina) are selling it for a slightly higher
price (~19.5 USD, which I would accept because it does not require me waiting
for the thing to be delivered across the world).

I'm in the same situation as you, never had a smart-thing in my life (unless
you count Raspberry Pi and Google Cardboard, which I personally don't). I have
never realized the appeal of a smart watch until a colleague of mine just
clicked on its iWatch once, said something like "remind me that I have a
meeting tonight at 8 PM with XX at YY", and had the event created for him on
his iPhone. Seems way more convenient than actually getting my phone out of my
pocket, unlocking it, finding the app, and inputing the event details.

------
vedaprodarte
Random? I think it means the back-door owner owns several IP addresses and the
data are just "randomly" sent to those IP.

------
yueq
LOL. Sending data to any IP is dangerous!

