Who watches the watchmen? A social engineer’s cautionary tale of spy watches

I regularly get to order all sorts of strange things from Amazon. This is because it’s a social engineer’s one stop shop!

You can get keyloggers (for child monitoring of course), room bugging equipment (to keep watch on your suspect nanny), and hidden cameras in all shapes and sizes.

Most social engineers know all about pen cameras, button hole cameras and even ones fitted into glasses frames. But there is a new kid on the block and he’s a bit harder to detect and far easier to slip into places undetected… the spy watch.

I took the liberty of ordering more than one. And in truth I actually ordered them over a period of time. The oldest one in the one far right of the image and it was early generation tech.

The ones on the middle and the left are newer and have more storage capacity. The early models came with 4 or 8GB of memory in a micro SD card (we’ll take a look at that later), now they go up to 64GB of storage and as we will see this is upgradable.

These purport to be as follows:

• 1280×720 or 1920×1080 video
• USB 2.0
• Saves in AVI format
• Pictures in jpg format
• Waterproof (some models) to 3 atmospheres
• Filming time 1 hour (varies and I have had longer if not in continuous usage)
• Film rate of 15 frames per second.
• Full sound recording (we’ll come back to this later too)

Some models claim infra red or “night vision” (limited) capabilities

Now… I was originally not overly enamoured with these watches. The early ones died all too regularly and were temperamental and let me down when on a job for a client. I did persevere and found that as they have matured the build quality has gone up, while the prices have dropped. Two years ago you’d pay close to £100 for one of these. Now they ship them out from amazon for as little as £20. The average price is about £35 and top whack is £50 or if you really want to go specialist

As I said the models vary and new ones even come with mobile phones built in (which if you ever grew up reading Dick Tracy comics, it’s exactly like that). This newer version allows for dual SIM (my phone doesn’t even do that) and connects to Bluetooth etc.

When the early model went dead on me (this is not an uncommon complaint about these devices so I am guessing the build quality is represented in the low pricing) I decided to pop one open and see what lived inside.

The big chip in the middle is some standard DRAM which sells for less than $2 USD (see www.memoryten.com/p/005516.htm). As you can also see the standard MicroSD storage is there too.

Once you pop out the innards you notice the watch function runs standalone and on its own battery. This also means I now know an easy way of disabling the annoying CLICK, CLICK, CLICK on the soundtrack for any videos taken as the watch continues to work just fine even with the watch gutted as it is. This also turns the watch into a storage medium which with the dead spy components removed is capable of holding 4 UK 2 pound coins and still closing and the watch will remain functional. Now I’m not one for smuggling £8 in and out of offices but it does highlight a reasonable capacity and if the watch isn’t being used for its intended purpose it could be used as a means of sneaking in or out other devices or storage into zones they shouldn’t.

The flip side of the workings had more interesting stuff on board. The obvious power linkage and LEDs as well as the camera device and microphone.

The on-board CPU raised some interesting links when I did a google on it. Almost all of them Russian and pertaining to hacking DVR cameras and some stuff that google decided infringed copyright which leads me to believe it’s also related to DRM bypass. So I went to the place that sells ANYTHING on the net….. Alibaba. And sure enough I found the chips for sale (originally from the US and seemingly not for sale or not at least online over there). But they list the chips “application usages” as:

• Application-1: Alarm, Computer, Car TV, Camera Watch, Mobile Phone, Laptop
• Application-2: MP3/MP4/MP5 Player, Electric Toy, DVD Telecoms, GPS locations
• Application-3: High Tech/Military/Civil/Industry.

This led to believe that the chip was high function and could possibly do more than just be a spy watch. It looks like some of the Dick Tracy wannabees have taken that option and are exploiting the full functions of the chip. Alas I couldn’t find a suitable specifications sheet to see exactly what was inside the chip. I believe the chip is probably capable of more as only ¼ of the pins on it have been utilised for the device which is probably done to reduce power consumption and obtain just limited functions from the chip.

Now the interesting bit came after a recent purchase of two new spy watches. And when plugging it in for the first time, up pops the AV and warns me the device contains malware! It quarantined the files and was rendered inert. The malware specifically was the following:

1. Autorun.inf – standard loader
2. _REC.exe – Win32/agent.NEC worm
3. Cleardisk.pif – Win32/autorun.FXT.Gen worm

I passed over the code to the debugger specialists and they confirmed it had enough bad stuff in it that you wouldn’t want it on your PC as it could potentially install key loggers or other backdoor software. While we couldn’t find any direct data transmissions it was embedded enough that it would be difficult to extract once embedded and has the ability to retrieve updates and run other programs. All in all you really wouldn’t install it by choice.

Was this intentional or an accident? I’m going to have to go for at least “semi-intentional”, only because the boxes were sealed before I got them, there was no signs of previous usage and the watch was still covered in its protective plastics. So either the malware was installed intentionally to catch the unwary or it found its way into the supplier’s network and has propagated all the way to his stock. This is not beyond the realms of possibility because even Vodafone suffered from this exact same problem several years ago.

You might ask “is the watch worth the risk?” Well if you are good with a VM and can run a suitable sandpit then you may not have any cause for concern, but if you are just someone who thinks it might be fun to spy on others, then be aware that Karma comes pre-supplied on this watch. ;-)

So, while I am using the watch to watch others… maybe the watch is watching me watching others. Who is watching the Watchmen?