The US Naval Criminal Investigative Service is investigating after multiple Navy personnel reported receiving unsolicited smartwatches in the mail that could be installed with data-stealing malicious software, an NCIS spokesperson told CNN on Friday.
The news comes after the Army warned publicly this month that “service members across the military” had reported receiving the devices in the mail.
It’s unclear who is mailing the suspicious watches, but the devices are telltale signs of a counterintelligence and cyberthreat. When used, the devices automatically connected to wireless networks and cell phones, “gaining access to a myriad of user data,” the advisory from the Army’s Criminal Investigation Division (CID) said.
The watches may also contain malware that would “grant the sender access to saved data to include banking information, contacts, and account information such as usernames and passwords,” the advisory said.
“Smartwatches, like any wearable device, can be used by adversaries to gain a wide collection of personal information and pose a security threat to U.S. Navy and U.S. Marine Corps service members,” NCIS spokesperson Jeff Houston told CNN in an email, adding that service members receive counterintelligence training to deal with such situations.
The scope of the US military’s exposure to the suspicious watches is unclear. Houston declined to comment on how many Navy personnel received the watches, or who might be mailing them, citing an ongoing investigation.
A spokesperson for the Army CID referred questions on the advisory to the Air Force Office of Special Investigations, which did not respond to requests for comment.
Experts told CNN that smart devices, if unsecured, pose a persistent counterintelligence threat to US military personnel because of their ubiquity and the sensitive data they collect.
“Junior-enlisted members of the military don’t make a ton of money, so getting a free smartwatch in the mail would certainly be exciting for many,” Rick Holland, an Army veteran and cybersecurity executive told CNN.
Such watches could be “a valuable collection source for a foreign intelligence agency,” said Holland, who is chief information security officer at cybersecurity firm ReliaQuest. “Watches that are then paired with phones could have access to even more data that would be valuable for building profiles on individual soldiers as well as their units.”
The vast amount of personal data for sale online is an “increasingly powerful” tool for intelligence gathering by US and foreign spying agencies, according to a recently declassified US intelligence report.
The Pentagon in 2018 announced a ban on deployed personnel using fitness trackers, smartphones and potentially even dating apps that use geolocating features. That followed a review of such practices after Strava, a fitness tracking app, may have inadvertently revealed the locations of security forces around the world.
Foreign intelligence services aren’t the only groups interested in using the mail to infiltrate targets.
A prolific Eastern European cybercriminal group has previously tried to hack US companies in the transportation, defense and insurance sectors by mailing those organizations malicious USB drives, the FBI warned US businesses last year in an advisory obtained by CNN.
CNN’s Haley Britzky contributed reporting.