Nothing's CMF Watch App Has A Concerning Security Bug

A security bug was spotted in the CMF Watch app that is used for the setup and control of London-based firm Nothing's new CMF smartwatch. Even though the Nothing Phone (2) comes with good software, the company is gaining a bad reputation for concerning security issues, due to the recent security incident involving its CMF sub-brand, says a report by 9to5Google.

According to 9to5Google contributor Dylan Roussel, the CMF Watch app has addressed a security vulnerability, mitigating the risk of exposing user email addresses and passwords.

The app itself, as Dylan initially discovered, was developed with the help of a separate company, “Jingxun”. That, in itself, wasn’t really an issue, but the vulnerability laid a bit deeper within the app. As Dylan explains, the CMF Watch app requires users to create an account with an email address and a password, and the app then encrypts that data, which is a good thing. However, the app also left the decryption method for that data available in the app, meaning it wouldn’t take much for a malicious party to access that sensitive information.

The issue was elaborated on X, formerly Twitter as follows: "So what's the problem? Back in September, the CMF Watch app was encrypting both the email and password, which was great! But the encryption method used also allowed anyone to decrypt the email and password with the exact same keys."

So what's the problem? Back in September, the CMF Watch app was encrypting both the email and password, which was great!

But the encryption method used also allowed anyone to decrypt the email and password with the exact same keys.

— Dylan Roussel (@evowizz) December 1, 2023

Nothing was initially notified of this problem in September. While the company has taken partial measures to address the issue, updating the encryption method for passwords in the app's latest versions, the vulnerability still persists for registered email addresses. The consumer tech company has taken some steps to address the issue by updating the encryption method for passwords in the latest app versions. However, the email address remains technically vulnerable.

In a recent conversation with 9to5Google, Nothing stated that it is actively working to resolve the remaining issues, emphasizing that the initial problem has been fixed. Notably, Nothing has established a contact point for reporting security vulnerabilities.

Meanwhile, Nothing Phone (2), the second smartphone from London-based Nothing recently announced a significant price cut on the phone. Its prices have been cut by Rs 5,000 permanently. Available on e-commerce site Flipkart, the base model with 8GB RAM and 128GB storage is now priced at Rs 39,999. Powered by the Qualcomm Snapdragon 8 Gen 1 SoC, the phone features a distinctive Glyph interface, a dual rear camera setup led by a 50-megapixel primary sensor, and is powered by a 4,700mAh battery.