The US Naval Criminal Investigative Service (NCIS) is conducting an investigation following reports from multiple Navy personnel who received unsolicited smartwatches in the mail. These watches could potentially be installed with data-stealing malicious software, according to an NCIS spokesperson. The Army had previously issued a public warning about service members across the military receiving similar devices.
The origins of these suspicious watches remain unclear, but they are indicative of a counterintelligence and cyberthreat. Once activated, the watches automatically connect to wireless networks and cell phones, enabling the collection of various user data. The Army’s Criminal Investigation Division (CID) advisory noted that the watches may also contain malware that allows the sender to access saved data, including banking information, contacts, usernames, and passwords.
NCIS spokesperson Jeff Houston emphasized that smartwatches, like any wearable device, can be exploited by adversaries to acquire personal information and pose security risks to US Navy and Marine Corps service members. He confirmed that service members receive counterintelligence training to address such situations. The extent of the US military’s exposure to these suspicious watches remains unknown, as the investigation is ongoing.
Experts highlight the persistent counterintelligence threat posed by unsecured smart devices due to their prevalence and the sensitive data they collect. Rick Holland, an Army veteran and cybersecurity executive, points out that such watches could serve as a valuable collection source for foreign intelligence agencies. When paired with smartphones, the potential access to additional data becomes even more concerning, enabling the construction of profiles on individual soldiers and their units.
The sale of vast amounts of personal data online has become an increasingly powerful tool for intelligence gathering, as highlighted by a recently declassified US intelligence report. Recognizing these risks, the Pentagon implemented a ban in 2018 on deployed personnel using fitness trackers, smartphones, and potentially even dating apps with geolocation features, following concerns raised by the inadvertent disclosure of security force locations by a fitness tracking app called Strava.
It is worth noting that foreign intelligence services are not the sole entities interested in infiltrating targets through the mail. Last year, the FBI issued an advisory revealing that an Eastern European cybercriminal group attempted to hack US companies in the transportation, defense, and insurance sectors by sending malicious USB drives via mail.
The incident involving the unsolicited smartwatches highlights the critical need for ongoing vigilance and enhanced security measures to safeguard sensitive data within the military and other sectors. It serves as a reminder of the potential risks associated with untrusted devices and emphasizes the importance of cybersecurity training and awareness to mitigate such threats effectively.