Bitdefender: smartphone to smarthwatch communication is not secure

Martin Brinkmann
Dec 16, 2014
Updated • Dec 16, 2014
Mobile Computing
|
3

Security and privacy is not really at the top of the list of features that most consumers want when they select a smartphone or a smartwatch.

It does play a huge role for some users, many Ghacks readers for example, but the masses seem more interested in looks and having the latest and greatest features than anything else.

As far as smartwatches are concerned, many require that you pair them with a smartphone that you carry with you as well for functionality. The watch uses the information that the smartphone provides to display information such as incoming SMS on the screen. It can also be used to control functionality on the smartphone.

Bluetooth pairing is being used for that so that data can be transferred using Bluetooth once the devices have been paired.

Security company Bitdefender demonstrated recently that the safeguards in place to protect communication between the phone and watch are not secure enough.

The company demonstrated these shortcomings using a Nexus 4 device running the Android L Developer Preview and a LG G smartwatch.

The communication between smartwatch and smartphone is encrypted by a six digit pin code which means that it is not enough to simply record and read the data that is being transferred using Bluetooth.

This pin code is displayed  on both devices when they are paired by the user in the first setup process.

Bitdefender used publicly available tools to brute force the pin code and read the information transferred between the devices.

The (roughly) one million combinations of six digit numeric pin are cracked by modern computer systems in a matter of seconds.

The need for proximity is a limiting factor though. Bluetooth supports three different range classes:

  1. Class 1: up to 100 meters
  2. Class 2: up to 10 meters
  3. Class 3: up to 1 meter

Most smartphones use class 2 radios which means that attackers need to get in to the supported range for the attack.

The pairing weakness that Bitdefender seems to have exploited is a security issue in Bluetooth LE and not specific to wearables. A hacker would need to be near enough to record the communication and need a link-key for the pairing as well unless communication is transmitted in plain text.

Closing Words

It is worrying that communication between watch and phone can be easily captured if the attacker manages to get in close proximity of the wearer.

While that may not be a problem for most users high-level executives, government officials and others with access to sensitive information should at least be aware of the possibility.

How big of an issue is it? I'd wait for an official response from Google or third-parties before coming to a conclusion.

Summary
Bitdefender: smartphone to smarthwatch communication is not secure
Article Name
Bitdefender: smartphone to smarthwatch communication is not secure
Description
Security company Bitdefender demonstrated recently how it managed to intercept communication between an Android phone and smartwatch.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. sheriffmichael said on May 2, 2017 at 10:53 pm
    Reply

    the reason why i to update this phone is to use it for browing and whatsapp and facebook

  2. Dante said on December 16, 2014 at 6:54 pm
    Reply

    I love it. Got to recommend these cute fashionista watches to the finance crowd :)

  3. Pants said on December 16, 2014 at 1:26 pm
    Reply

    Whoever came up with six digits needs to be high-fived, in the face, with a chair. With the Internet of Everything shaping, the building blocks need to incorporate good end to end encryption from day one (and I don’t mean Verizon’s idea of end to end encryption where one end is the NSA).

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.