Smartwatch Hacked... Data Exchange with Smartphone Not So Secure

Discussion in 'Tech News' started by LoudRam, Dec 11, 2014.

  1. LoudRam

    LoudRam Senior Member

    Joined:
    Dec 18, 2010
    Messages:
    1,430
    Likes Received:
    137
    Trophy Points:
    63
    Location:
    Southern NJ
    Ratings:
    +146
    Current Phone Model:
    Moto X
    We are living in an era of smart devices that we sync with our smartphones and make our lives very simple and easy, but these smart devices that inter-operates with our phones could leave our important and personal data wide open to hackers and cybercriminals.
    Security researchers have demonstrated that the data sent between a Smartwatchand an Android smartphone is not too secure and could be a subject to brute force hacks by attackers to intercept and decode users' data, including everything from text messages to Google Hangout chats and Facebook conversations.
    Well this happens because the bluetooth communication between most Smartwatches and Android devices rely on a six-digit PIN code in order to transfer information between them in a secure manner. Six-digit Pin means approx one million possible keys, which can be easily brute-forced by attackers into exposing entire conversations in plain text.
    Researchers from the Romania-based security firm Bitdefender carried out a proof-of-concept hack against a Samsung Gear Live
    smartwatch
    and a paired Google Nexus 4handset running Android L Preview. Only by using sniffing tools available at that moment, the researchers found that the PIN obfuscating the Bluetooth connection between both devices was easily brute forced by them.
    Brute force attack is where a nearby hacker attempts every possible combination until finding the correct one. Once found the right match, they were able to monitor the information transferring between the smartwatch and the smartphone.
    The researchers explained that their findings were "pretty consistent with [their] expectations" and without a great deal of effort, an encrypted communications between wearable technology and smartphones could be cracked and left open to prying eyes.
    This new discovery is important particularly for those who are concerned about their personal data, and considering the increase in the market of smartwatches and wearable devices at the moment, the discovery will definitely made you to think before using one.
    HOW TO PROTECT YOURSELF FROM SUCH ATTACKS
    To protect yourself to be a victim of such attacks, use Near Field Communication (NFC)to safely transmit a PIN code to compatible smartwatches during pairing, but that would likely increase the cost and complexity of the devices. In addition, "using passphrases is also tedious as it would involve manually typing a possibly randomly generated string onto the wearable smartwatch," the report said.
    Another option is to use original equipment manufacturers (OEMs) by Google as an alternative to make data transfers between either device more secure. "Or we could supersede the entire Bluetooth encryption between Android device and smartwatch and use a secondary layer of encryption at the application level," the report offered. There are almost certainly other potential fixes available.

    VIDEO DEMONSTRATION
    You can watch the Proof-of-Concept video below, ran on a Samsung Gear Live smartwatch and a paired Google Nexus 4 device running Android L Preview.
    Link for video:


    Link for story:
    Smartwatch Hacked... Data Exchange with Smartphone Not So Secure - Hacker News
     
    • Informative Informative x 1
  2. Jonny Kansas

    Jonny Kansas Administrator
    Staff Member Rescue Squad

    Joined:
    Jan 21, 2010
    Messages:
    16,468
    Likes Received:
    7,038
    Trophy Points:
    1,278
    Location:
    Michigan's Upper Peninsula
    Ratings:
    +8,379
    Current Phone Model:
    Pixel XL
    Twitter:
    jonny_ks
    Good story.

    This is something that a lot of people don't think about. You take a risk when connecting to anything wirelessly even more than if you're wired in.

    This problem could be easily fixed with proper encryption protocols between the paired/trusted devices, but smartwatches are still in their infancy.

    Stories like this will hopefully get Google and others that are working on the software that runs these devices to realize they need to focus serious energy on securing these connections before adding more bells and whistles and flash to them.

    The video is a simple proof of concept, but it's only a matter of time before serious black hat hackers realize there's an opportunity here to steal some very sensitive information, just like sitting in a Starbucks and running a packet sniffer on their open wifi network.
     
    • Like Like x 2
  3. Ollie

    Ollie Droid Does

    Joined:
    Apr 13, 2012
    Messages:
    3,446
    Likes Received:
    2,105
    Trophy Points:
    1,468
    Location:
    South Coast
    Ratings:
    +2,485
    Current Phone Model:
    Note Edge - iPhone 6 Plus
    On the initial launch of the iBeacon stack the first thing I thought about was all of these folks will be running around with a huge vulnerability in their hands.

    It doesn't even have to be a Bluetooth protocol that leaves you vulnerable. Look at those new RFID banking cards that can be scanned unknowingly while in your wallet/purse, the banking data transfered to something as simple as a hotel room keycard, and then swiped at any sales counter of your choosing. All within 5 minutes

    The biggest problem is that most average people don't have the tech know how to understand that not everything pushed out by "trusted OEMs" is flawless. Couple that with complacency brought on by the daily bombardment of hacking news that has made people complacent and numbed by it.

    It's almost accepted by people today that hacking is the new norm and they have just come to accept it and don't take any steps to prevent it from happening to them.
     
    • Like Like x 1
    • Agree Agree x 1
Search tags for this page

nearby dwvice hacked transfer log