WASHINGTON — Smartwatches capable of automatically connecting to cellphones and Wi-Fi, then gaining access to user data, are being shipped to members of the U.S. military seemingly at random, raising cybersecurity concerns.
The Department of the Army Criminal Investigation Division, or CID, in an announcement last week warned the watches may contain malware, potentially granting whoever sent the peripherals “access to saved data to include banking information, contacts, and account information such as usernames and passwords.”
A more innocuous tactic may also be to blame: so-called brushing, used in e-commerce to boost a seller’s ratings through fake orders and reviews.
The CID, an independent federal law enforcement agency consisting of thousands of personnel, did not say exactly how many smartwatches were so far distributed.
Wearable technology and downloadable applications have long clashed with the national security ecosystem, where secrecy is paramount. Smartwatches and their software log personal info and location data, can record audio, and often lack a sufficient means to validate users.
The New York Times in 2018 reported that Strava, a fitness app that posts a map of user activity, unwittingly revealed locations and habits of military bases and personnel, including those of American forces in the Middle East. And in 2020, Bellingcat reported military and intelligence personnel could be tracked via Untappd, a beer-rating social network.
The investigation division said troops that receive a smartwatch unsolicited should not turn the device on and should instead report the matter to a counterintelligence or security official.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.