Skip to main content

Nothing had another worrying security problem in its CMF Watch app; now there’s a way to report it

The Nothing Phone (2) has stellar software in terms of the user experience, but the company is starting to develop a bit of a track record around worrying security problems, with the latest example coming from the company’s CMF sub-brand.

CMF, a part of Nothing’s brand, is focused on delivering very low-cost products, including a $69 smartwatch. That watch connects through an app that is used for setup and some controls, but that app had a worrying security problem behind the scenes.

As spotted by 9to5Google contributor Dylan Roussel and detailed in a thread on Twitter/X, the CMF Watch app has partially fixed a security vulnerability that could expose user email addresses and passwords.

The app itself, as Dylan initially discovered, was developed with the help of a separate company, “Jingxun.” That, in itself, wasn’t really an issue, but the vulnerability laid a bit deeper within the app. As Dylan explains, the CMF Watch app requires users to create an account with an email address and a password, and the app then encrypts that data, which is a good thing. However, the app also left the decryption method for that data available in the app, meaning it wouldn’t take much for a malicious party to access that sensitive information.

Effectively, it made the encryption practically useless.

9to5Google assisted Dylan in reporting the issue to Nothing in September as, at the time, Nothing had no direct point of contact for security/privacy vulnerabilities.

The company has since partially fixed the problem, as in the latest versions of the app, the encryption method for the password has been updated, though the email address is technically still at risk.

Speaking to 9to5Google this week, Nothing says that it is “currently working” to fix the remaining issues and reiterates that the initial issue was fixed. More importantly, Nothing has since opened up a point of contact for security vulnerabilities.

CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report.

Notably, not only is a vulnerability point of contact available for CMF but also for Nothing itself.

While this issue wasn’t nearly as impactful as the Nothing Chats/Sunbird issues from November, it shows a worrying trend with Nothing as, at least twice now, the company’s partners have left gaps in security that Nothing itself probably should have been able to identify. But, at the very least, the company seems to be pushing things in the right direction.

More on Nothing:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Ben Schoon Ben Schoon

Ben is a Senior Editor for 9to5Google.

Find him on Twitter @NexusBen. Send tips to schoon@9to5g.com or encrypted to benschoon@protonmail.com.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications