After the Nothing Chats affair, the British manufacturer experienced a new security breach, this time for its first connected watch, the CMF Watch Pro.
Clearly, nothing is going well for Nothing. A few weeks after we discovered that its Nothing Chats messaging system, which promised compatibility with iMessage, was subject to major confidentiality concerns, this time it is the manufacturer's first connected watch which is the subject of criticism For safety reasons.
A quick reminder of the facts: at the end of September, Nothing unveiled its very first connected watch, sold under the CMF by Nothing brand, the CMF Watch Pro. It was then an entry-level connected watch with flat borders, a square screen and a particularly attractive price of 50 euros. It must be said that the watch mainly offers connected bracelet functions and does not allow the installation of third-party applications.
However, just a few weeks after the release of the watch, journalist Dylan Roussel spotted, within the code of the CMF Watch application – which allows the watch to be associated with a smartphone – a significant vulnerability. “ In September, the CMF Watch application encrypted both the email address and the password, which was very good. But the encryption method used allowed anyone to decrypt the email address and password with the same keys», he indicates in a message posted on (formerly Twitter):
In fact, anyone with access to an encrypted email or password could have cracked them, making encryption useless.
A flaw partly corrected by Nothing
Since then, Nothing indicates that it has partly corrected the problem by modifying the password encryption method within its mobile application. However, as the site specifies9to5Google, this is not yet the case for the email address. Questioned by the specialized site, the CMF brand of Nothing however says it is attentive to these security risks and takes them “very seriously» : «Team investigates security issues surrounding Watch app“. Furthermore, the manufacturer has opened a page on its website to allow users to report possible vulnerabilities that it has not yet identified.
As 9to5Google nevertheless points out, this is the second time in a few weeks that Nothing has been at the heart of questions about user privacy and confidentiality concerns. As in the case of Nothing Chats, the CMF Watch application was not developed by Nothing, but by a service provider, in this case the Chinese developer Jingxun.
Want to join a community of enthusiasts? Our Discord welcomes you, it is a place of mutual help and passion around tech.