The Naval Criminal Investigative Service (NCIS) and Army Criminal Investigative Service are investigating reports by several service members that they received unsolicited smartwatches in the mail. A press release by the Army Criminal Investigative Service stated that when the smartwatches were used, they connected to Wi-Fi, connected to cell phones without prompting, and gained access to user data. Further, the smartwatches had malware that allowed not just access to data like banking information, and account information, including passwords and contacts, but also sent the information. The malware was noted to potentially contain voice and cameras allowing access to conversations by the service member.
NCIS and Army Criminal Investigative Service have advised not to turn on the device if one is received but to turn it into your unit security manager or local counterintelligence agency. They have not announced how many service members were affected or which service branches were affected.
Many units already do not allow smartwatches. Secure areas do not allow service members to wear smartwatches. Deployed troops were not allowed to utilize smartphones, fitness trackers, or even dating apps using geolocating features in 2018.
“Smartwatches, like any wearable device, can be used by adversaries to gain a wide collection of personal information and pose a security threat to U.S. Navy and U.S. Marine Corps service members,” NCIS spokesperson Jeff Houston stated in a CNN article.
This is not the first time a group has been targeted for information. In 2022, an Eastern European cybercriminal group tried to hack US companies in the transportation, defense, and insurance sectors by mailing people within the organization USB drives with malware on them. Per an article on CNN, several fake letters were sent via the US Postal Service and UPS impersonating the Department of Health and Human Services or Amazon, and the letters contained a USB with malware on it. The malware allowed access to the networks. The FBI determined that these acts were due to the FIN7, an Eastern European cybercriminal group. According to the a previous report, the organization had used USB sticks in 2020.
There is no return address on the packages being sent. It is unknown where the smartwatch devices are coming from or who is collecting or looking to collect data. If any suspicious devices are ever received in your mail, do not connect to them, or open them. If you receive devices that you did not order, or you know a friend or family sent, immediately stop opening the package. Notify your service branch criminal investigative service immediately. The phrase Loose Lips Sink Ships may not specifically apply to this, but using an unknown device can open you, your family and possibly your unit up to unwanted information sharing.