Exploit Millions of Pebble Smartwatches for Fun and Profit

Friday 7 October 14:00 - 14:30, Red room

Yulong Zhang (Baidu X-Lab)
Lenx Wei (Baidu X-Lab)

In 2015, nearly two million Pebble smartwatches were sold, according to IDC [1]. These next-to-skin life/work companions have great implications for privacy and security. Some existing work has already highlighted the security and privacy issues with Pebble watches (e.g. [2]), but none has considered the possibility of a malicious actor fully taking over the watches. To our knowledge, we are the first to describe the root exploits of Pebble watches. We will present several zero-day vulnerabilities that we have discovered.

We will start by providing an overview of the Pebble's ecosystem and architecture, including its App Store mechanism and the hardware/software stack. Lots of details uncovered from reverse engineering will be described.

After providing enough background, we will move to our concerns about the security of Pebble smartwatches. First, Pebble allows anyone (without authenticating who they are) to develop apps in C that can execute natively on the watches. Pebble does not perform a security review of the submissions; it relies on the on-watch memory isolation and user-report to defend against malicious apps [3]. With this design, attackers can still find a way to stealthily distribute malware.

Next, we will present the internals of Pebble's kernel, and discuss a zero-day vulnerability discovered by us that can lead to privilege escalation. Local attackers can exploit this issue to root the watches, and can even persistently take full control of the watches. This vulnerability can also generally affect other wearable or embedded platforms.

Lastly, we will point out that the security of smartwatches depends on the security of the pairing phones. By exploiting this trust chain, attackers can launch remote attacks to take over the watches. An Android zero-day bluetooth vulnerability discovered by us will be used as an example. Several other vulnerabilities due to Pebble's design flaws will be also described.

We have responsively disclosed all issues to Pebble and other related vendors. The vulnerabilities shown in this paper can generally affect other wearable or embedded platforms. We hope that this talk will kick start a discussion of wearable security, and inspire more and more researchers and vendors to join in the effort of improving wearable security.

[1] https://www.idc.com/getdoc.jsp?containerId=prUS40846515
[2] https://courses.csail.mit.edu/6.857/2014/files/09-boning-lee-valdez-pebble-smartwatch.pdf
[3] https://developer.pebble.com/legal/

Click here for more details about the conference.


Yulong Zhang

Yulong Zhang is currently working at Baidu conducting research and development into next-generation methodologies to analyse advanced mobile malware, and to design security products to detect and defend mobile threats.


Lenx (Tao) Wei

Dr. Lenx (Tao) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programming languages, and mobile security.