Nothing had another worrying security problem in its CMF Watch app; now there’s a way to report it

Ben Schoon | Dec 4 2023 - 10:35 am PT

The Nothing Phone (2) has stellar software in terms of the user experience, but the company is starting to develop a bit of a track record around worrying security problems, with the latest example coming from the company’s CMF sub-brand.

CMF, a part of Nothing’s brand, is focused on delivering very low-cost products, including a $69 smartwatch. That watch connects through an app that is used for setup and some controls, but that app had a worrying security problem behind the scenes.

As spotted by 9to5Google contributor Dylan Roussel and detailed in a thread on Twitter/X, the CMF Watch app has partially fixed a security vulnerability that could expose user email addresses and passwords.

The app itself, as Dylan initially discovered, was developed with the help of a separate company, “Jingxun.” That, in itself, wasn’t really an issue, but the vulnerability laid a bit deeper within the app. As Dylan explains, the CMF Watch app requires users to create an account with an email address and a password, and the app then encrypts that data, which is a good thing. However, the app also left the decryption method for that data available in the app, meaning it wouldn’t take much for a malicious party to access that sensitive information.

Effectively, it made the encryption practically useless.

Essentially, anyone having their hands on an encrypted email and password would have been able to decrypt them, which essentially made the encryption useless.

This was found with the help of @linuxct.
— Dylan Roussel (@evowizz) December 1, 2023

9to5Google assisted Dylan in reporting the issue to Nothing in September as, at the time, Nothing had no direct point of contact for security/privacy vulnerabilities.

The company has since partially fixed the problem, as in the latest versions of the app, the encryption method for the password has been updated, though the email address is technically still at risk.

Speaking to 9to5Google this week, Nothing says that it is “currently working” to fix the remaining issues and reiterates that the initial issue was fixed. More importantly, Nothing has since opened up a point of contact for security vulnerabilities.

CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report.

Notably, not only is a vulnerability point of contact available for CMF but also for Nothing itself.

While this issue wasn’t nearly as impactful as the Nothing Chats/Sunbird issues from November, it shows a worrying trend with Nothing as, at least twice now, the company’s partners have left gaps in security that Nothing itself probably should have been able to identify. But, at the very least, the company seems to be pushing things in the right direction.