Service members across the United States military have reportedly been receiving unsolicited smartwatches in the mail, which is raising cybersecurity concerns.

According to a release issued by the U.S. Department of the Army Criminal Investigation Division (CID), the smartwatches, when used, have auto-connected to Wi-Fi and began connecting to cell phones unprompted, gaining access to a myriad of user data.

 The CID said the smartwatches may also contain malware that would grant the sender access to saved data to include banking information, contacts and account information such as usernames and passwords. The malware could also allow access to both voice and cameras which would allow malicious actors to access conversations and accounts tied to the smartwatches.

“These products may also be used for Brushing. This is the practice of sending products, often counterfeit, unsolicited to seemingly random individuals via mail in order to allow companies to write positive reviews in the receiver's name allowing them to compete with established products,” the release stated.

If one of these devices is received, service members are being told to not turn the device on and report it to their local counterintelligence or security manager.

Security leaders weigh in

Melissa Bischoping, Director, Endpoint Security Research at Tanium:

“Most people have heard about techniques involving leaving random malicious USB devices around for curious victims to plug in. This ‘surprise smartwatch’ tactic leverages the same human curiosity, and grants a threat actor access to some of your most sensitive personal information. As the adage goes, if it’s too good to be true, it probably is, and if you’re not paying for the product, you are the product. In this economy, no one is sending out free gadgets for funsies, so the arrival of an unexpected package should raise suspicions and warrant investigation into the authenticity or identity of the sender. Best case? Someone sent you a birthday gift and forgot to include a card. Worst case? You’re compromising your personal and/or professional data with malware.”

Gareth Lindahl-Wise, CISO at Ontinue:

“This is not unlike the old technique of leaving a USB stick on the floor and hoping someone would plug it into their laptop. The ability of a smartwatch to deeply interact with a paired mobile device should be of great concern. The dangers of fitness trackers (such as Fitbit and Strava) disclosing the location of military personnel and installations was seen towards the end of the Afghan conflict. A wealth of personal information, such as emails, chats, location and banking information could be exposed — but also consider the exposure of authentication apps, many of which can be used on smartwatches — which could lead to personal and corporate account compromise. These unsolicited 'goodies' must be reported and dealt with appropriately.”

Casey Ellis, Founder and CTO at Bugcrowd:

"Trojan horses aren’t a new idea, but this attack is remarkable to me because of the combination of its scale, it’s brazenness and the associated costs."