The Nothing Cellphone (1) and (2) have been praised up to now for having clear software program – nearly Android-like – with nice residence display customization, and that is been the case because the firm’s first foray into smartphone OEM. Nevertheless, as promising as that was, the corporate did not have an important month when it got here to safety.
After the Nothing Chats debacle that unleashed a torrent of points for the corporate, Nothing faces one other safety problem. Below the microscope this time is the not too long ago launched sub-brand CMF, which focuses on inexpensive merchandise equivalent to smartwatches, earbuds and chargers. The problem particularly stems from the CMF Watch app, which was discovered to comprise a safety vulnerability that would expose consumer electronic mail addresses and passwords.
Simply as with Nothing Chats, the vulnerability was found within the CMF Watch app and rapidly reported to the corporate by Dylan Russell, who posts his findings usually on x/twitter
and 9to5Google. On this case, he found the difficulty again in September, and has rigorously documented it within the thread beneath.
Supply – Dylan Russell | X
The CMF Watch app requires customers to create an account with an electronic mail tackle and password, and the app then encrypts that knowledge. Nevertheless, the app additionally left the decryption methodology for that knowledge accessible throughout the app itself. Because of this any malicious actor can simply entry that delicate info.
The corporate has since partially fastened the difficulty by updating the encryption methodology for the password, however the electronic mail tackle continues to be technically susceptible. Nevertheless, in an announcement to 9to5Google, Nothing mentioned it was “at the moment working” to repair the remaining points, and has since opened a hotspot for the vulnerabilities.
CMF takes privateness points critically and the workforce is investigating safety issues associated to the Watch app. We corrected preliminary issues relating to credentials earlier within the yr and are at the moment working to resolve the problems raised. As soon as this subsequent repair is full, we are going to roll out an over-the-air replace to all CMF Watch Professional customers. Safety experiences can now be submitted extra simply by way of https://intl.cmf.tech/pages/vulnerability-report.
Whereas it is nice information that nothing has acknowledged the issue and is taking the mandatory steps to right it, it is considerably troubling that the corporate finds itself on this scenario. As a comparatively new OEM, particularly one attempting to launch a brand new sub-brand, having lapses in safety will not be a great factor. Hopefully, Carl Pei and his workforce have discovered from this expertise and accomplished a greater job of constructing certain their apps are safe, particularly when an outdoor firm is concerned within the course of.
Header picture credit score: https://intl.cmf.tech/