No different than sending data to a random us-east-1 IP address.
In this case there just aren't any English speakers to show up in the press and spit sophistry about how a stopwatch app needs to exfiltrate your entire contacts book for business reasons and "you clicked OK so fuck you."
agree; a device cheaper than a steak connecting to an IP address isn't news - just because it's a Chinese IP address doesn't mean you've got awesome presentation material.
Of course not. Perhaps "arbitrary IP address" would have been more precise phrasing, but I doubt many people though OP was suggesting that the IP address was literally random.
You're right. Even though I aimed my criticism at a market that is unreasonably trusting of locals, I think the reason this is news is fueled by distrust of the Chinese in specific and foreigners in general.
Dunno why you're so downvoted. Is the HN audience too thick to see your point, or was it using language too close to IRL politics?
Had a scare in a data centre once when the UPS started trying to connect to an IP hosted somewhere in China. Turned out when it did a DNS lookup for the SNMP server (or something - sorry about hand-waviness) the first response it got back was an IPV6 address (DNS AAAA record). And since the crappy TCP stack on the device had no IPV6 support, it was just interpreting the first four bytes of the AAAA record as an IPV4 address. One of our super smart sysadmins worked out what was going on and tweaked the DNS to return A record first - problem solved.
This strikes me as scaremongering: yes, it's possible that this is some soft of malicious behaviour, but the article provides no evidence of that beyond "China." It's far more likely that the cheap Chinese smartwatch manufacturer simply uses servers in China (imagine that!) for collecting diagnostic data or to provide benign functionality.
Agreed: to me the word "random" makes it seem like the IP address was randomly generated.
Interestingly enough, the author himself uses the word "random" to describe the address, but then implies it is indeed unique: "it didn't resolve to anything".
I believe he really meant "unknown" there, but he is a professional researcher, so what do I know? I guess we will have to wait for the paper he mentioned he was writing on the subject.
That usually makes sense when the object in question is fungible -- whether the person waiting for the bus was Joe or John or Jeff makes no difference.
But it's needlessly confusing to use "random" to describe something that's represented numerically unless it's mathematically random. "Arbitrary" or "unknown" is better.
Agreed that it's a bit ambiguous, but in modern British English this usage of "random" is really common. I didn't even think about the headline until people started discussing it.
From recent KrebsonSecurity article: This is Why People Fear the Internet of Things [1]
Replace "camera" with "watch":
“The details about how P2P feature works which will be helpful for you understand why the camera need communicate with P2P servers,” Qu explained. “Our company deploy many servers in some regions of global world.” Qu further explained:
1. When the camera is powered on and connected to the internet, the camera will log in our main P2P server with fastest response and get the IP address of other server with low load and log in it. Then the camera will not connect the main P2P server.
2. When log in the camera via P2P with Foscam App, the app will also log in our main P2P server with fastest response and get the IP address of the server the camera connect to.
3. The App will ask the server create an independent tunnel between the app and the camera. The data and video will transfers directly between them and will not pass through the server. If the server fail to create the tunnel, the data and video will be forwarded by the server and all of them are encrypted.
4. Finally the camera will keep hearbeat connection with our P2P server in order to check the connection status with the servers so that the app can visit the camera directly via the server. Only when the camera power off/on or change another network, it will replicate the steps above.”
Nothing inherently malicious about this, unless the vendor is irresponsible with user data, or collects data it should not be collecting in the first place.
One of the reasons that I don't trust anything I can't put my own firmware on. Security problems, redirecting traffic (I think there was one that would filter NXDOMAINs to their own search page), playing with DNS, and god knows what else just make me way too paranoid about it if I can't either examine the firmware myself or replace it with something I can (openwrt, tomato, ddwrt, etc.)
Of course it doesn't. But that's also detectable by watching traffic on both sides of the device (with another device entirely). It's also something that's less likely to happen en-mass in my opinion. Once found it'd completely tank whatever chip manufacturer that was, as nobody would be able to trust anything they made anymore. So I'd consider that to be in the realm of protecting against governmental sized entities instead of the more likely rogue developers/manufacturers that want to sell ads or botnet time.
Many cheap electronic devices come with a QR code that takes you to an HTTP site on an IP address in order to download the app, so this isn't especially shocking.
If I have purchased this model (and I can't say I haven't thought about it because this model is super popular in my country as I have stated in my previous comment), even if it costs just $17 (which is not as cheap here as it is in the US), without being aware that this is needed before buying it, I would be a bit more open about installing that thing on my phone since I have already bought it.
Even if it requests a bunch of permissions, I believe that it needs access to your call logs, SMS etc. as its core functionality since it is, after all, a smart watch that wants to display to you your notifications and allow you to react on them.
I would be much more open then if I just stumbled on the app on Google Play that requires the exact same permissions.
Beat-up. This is 100% more likely to be just dodgy code than bad intentions: the article states clearly that their idea of a pairing solution for customers opening the product box is downloading an app from an IP address without a domain name. Conclusion: It's just another small hardware operation. If they wanted to do corporate espionage, they'd make it shiny and iPhone compatible.
I believe that I own this watch and it didn't ask me to sideload an APK. Rather, the watch displayed a QR code that pointed me to an app the Google Play store. There may be something shady going on but the evidence here is not clear cut.
This thing is incredibly popular in my country. I've started looking at smart watches half a month ago on the most popular online shopping service in my country, and most of the results I got were exactly this one (judging from the screenshot, since most of those selling it don't include no brand info, no model info, no OS info).
if you don't mind; which country & what value do people see in them? I'm new to all the smart-this smart-that, but know there are likely useful features.
I, personally, have thought about buying this exact same model, because having a thing on my wrist that I can use to quickly see my notifications and respond to them seems appealing to me. Plus, it is fairly cheap, so in my head while I was considering this, I had nothing to lose (notice that I was not aware of it requesting the installation of an app over HTTP etc.).
Resellers here (Bosnia & Herzegovina) are selling it for a slightly higher price (~19.5 USD, which I would accept because it does not require me waiting for the thing to be delivered across the world).
I'm in the same situation as you, never had a smart-thing in my life (unless you count Raspberry Pi and Google Cardboard, which I personally don't). I have never realized the appeal of a smart watch until a colleague of mine just clicked on its iWatch once, said something like "remind me that I have a meeting tonight at 8 PM with XX at YY", and had the event created for him on his iPhone. Seems way more convenient than actually getting my phone out of my pocket, unlocking it, finding the app, and inputing the event details.
In this case there just aren't any English speakers to show up in the press and spit sophistry about how a stopwatch app needs to exfiltrate your entire contacts book for business reasons and "you clicked OK so fuck you."