C. Scott Brown / Android Authority
TL;DR
- Nothing’s CMF Watch app encrypted emails and passwords suboptimally, allegedly allowing for decryption using the same decryption keys.
- The issue was partially fixed, as the encryption method of the passwords was updated, but not that of emails.
- Nothing claims it is currently working to resolve the issues.
Update, December 4, 2023 (12:45 PM ET): Nothing has now provided a comment to Android Authority about the issues. A spokesperson for the company states:
CMF takes privacy issues very seriously and the team is investigating security concerns regarding the Watch app. We rectified initial credential concerns earlier in the year and are currently working to resolve the issues raised. As soon as this next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be more easily submitted via https://intl.cmf.tech/pages/vulnerability-report
Original article, December 4, 2023 (3:29 AM ET): Nothing has had some good success with the Nothing Phone 2, considering the novelty of the phone and the nascent brand image. To win over some of the iPhone audience, Nothing partnered with Sunbird to launch an iMessage-for-Android app called Nothing Chats. The app lasted about a day in the wild before being pulled down due to glaring security oversights. But there seem to be more skeletons in Nothing’s closet, as two more vulnerabilities have emerged.
Android developer and reverse engineer Dylan Roussel posted on X that he found two vulnerabilities centered around Nothing. The first was found in September in the CMF Watch app, which was built in partnership with a company called Jingxun. The CMF Watch app encrypted email usernames and passwords, but the encryption method allegedly left the door open for decrypting the same with the same decryption keys, defeating the purpose of encryption.
Nothing/Jingxun fixed this vulnerability, but curiously, only for the password. You could still allegedly decrypt the email that is used as the username.
The second vulnerability has not been publicly detailed, but it relates to Nothing’s internal data. Nothing was informed of the same in August, but it hasn’t been fixed yet.
Nothing has no mechanism for vulnerability disclosure or reporting of security issues. Users who find these issues have to resort to contacting the company through other channels, which isn’t ideal. Considering how much soup Nothing has found itself in recently, it would be a good idea to make it easier to report these issues to the company.
We’ve reached out to Nothing for comments. We’ll update this article once we hear back from them.
