Nothing recently introduced its sub-brand CMF. A few months later we saw how Nothing brought the CMF brand to many more markets, including Italy .
One of the products of the newborn brand is an economical smartwatch, the device uses a proprietary app for association with the smartphone, configuration and management of some controls; unfortunately it emerged that the application in question had some serious security problems, some of which have fortunately already been resolved by Nothing itself.
Nothing fixes an issue in the CMF Watch app and offers a new way to report
The news of the vulnerabilities found in the CMF Watch app is not new, in fact the report by developer Dylan Roussel (collaborator of colleagues at 9to5Google ) on the social network X (formerly Twitter) dates back to September; from the research conducted it emerged that Nothing had relied on an external company for the development of the application in question, Jingxun, which is not such a strange or foreign practice even for other brands.
The basic problem lies in the work carried out by this company which did not pay attention to some important details from a security point of view, details which, to be honest, were also overlooked by Nothing itself: in order to be used, the CMF Watch app requires users users to create an account with an email address and a password, takes care of encrypting this data, but leaves the decryption key on the device itself, effectively nullifying the data encryption procedure and exposing it to possible attackers.
CMF takes privacy issues very seriously and the team is investigating security issues related to the Watch app. We resolved initial credentialing concerns earlier this year and are currently working to resolve the issues raised. As soon as the next fix is complete, we will roll out an OTA update to all CMF Watch Pro users. Security reports can now be submitted more easily via https://intl.cmf.tech/pages/vulnerability-report.
