NCIS: "Free Smartwatches" for Sailors Might be Covert Cyberattack
The U.S. Navy has received multiple reports of sailors receiving free smartwatches in the mail, raising concerns that the devices could be gift "Trojan horses" from a spy agency or a hacker. Investigators believe it is possible that a threat group could be attempting to insert malware or steal data when the unasked-for accessories connect to the user's smartphone.
The U.S. Naval Criminal Investigative Service (NCIS) is conducting an investigation into the reports, which sound similar to a pattern recently picked up by the Army's Criminal Investigation Division (CID). The devices examined by CID exhibited concerning activity when turned on: they would auto-connect to Wifi and cell phones, unprompted, and would gain access to "a myriad of user data." While this is not a guarantee of intentional hacking activity, it is a capability that could be useful for a cybercriminal or foreign intelligence agency targeting military personnel.
CID warned servicemembers that the devices could also contain malware designed to access saved data, like banking information, usernames and passwords. Malware inserted by connecting to an unknown device like a smartwatch could also enable an outside actor to listen in via the phone's camera and microphone - a desirable feature for spying on military personnel.
This type of attack vector has been used before. In early 2022, an Eastern European criminal hacking group sent fake letters containing a USB stick to a variety of American companies. The letters purported to come from Amazon or from the Department of Health and Human Services, but their actual intention was to fool the recipient into inserting the USB stick in a computer - starting the transfer of a malware package.
There may also be a relatively innocent (if unscrupulous) explanation, CID said. These unwanted smartwatches might also be used for "brushing." This is the practice of sending products, often fake, to random recipients in the mail. This lets the sender (the vendor) write fake positive reviews of their own product using the receiver's name.
Brushing would not pose the same level of risk as an active hacking attempt, but a smart device can still create an inadvertent security gap. Fitness tracking devices, social media apps and other consumer-grade technology have been used to remotely track the positions of U.S. military servicemembers in the past, even though the tech was never intended for this purpose.
Whether the free smartwatches are intentionally malicious or simply disreputable, CID and NCIS have easy-to-follow advice for servicemembers who receive unwanted electronics in the mail: do not turn it on, and report it to counterintelligence.