Exploit Millions of Pebble Smartwatches for Fun and Profit

Friday 7 October 14:00 - 14:30, Red room

Yulong Zhang (Baidu X-Lab)
Lenx Wei (Baidu X-Lab)

In 2015, nearly two million Pebble smartwatches were sold, according to IDC [1]. These next-to-skin life/work companions have great implications for privacy and security. Some existing work has already highlighted the security and privacy issues with Pebble watches (e.g. [2]), but none has considered the possibility of a malicious actor fully taking over the watches. To our knowledge, we are the first to describe the root exploits of Pebble watches. We will present several zero-day vulnerabilities that we have discovered.

We will start by providing an overview of the Pebble's ecosystem and architecture, including its App Store mechanism and the hardware/software stack. Lots of details uncovered from reverse engineering will be described.

After providing enough background, we will move to our concerns about the security of Pebble smartwatches. First, Pebble allows anyone (without authenticating who they are) to develop apps in C that can execute natively on the watches. Pebble does not perform a security review of the submissions; it relies on the on-watch memory isolation and user-report to defend against malicious apps [3]. With this design, attackers can still find a way to stealthily distribute malware.

Next, we will present the internals of Pebble's kernel, and discuss a zero-day vulnerability discovered by us that can lead to privilege escalation. Local attackers can exploit this issue to root the watches, and can even persistently take full control of the watches. This vulnerability can also generally affect other wearable or embedded platforms.

Lastly, we will point out that the security of smartwatches depends on the security of the pairing phones. By exploiting this trust chain, attackers can launch remote attacks to take over the watches. An Android zero-day bluetooth vulnerability discovered by us will be used as an example. Several other vulnerabilities due to Pebble's design flaws will be also described.

We have responsively disclosed all issues to Pebble and other related vendors. The vulnerabilities shown in this paper can generally affect other wearable or embedded platforms. We hope that this talk will kick start a discussion of wearable security, and inspire more and more researchers and vendors to join in the effort of improving wearable security.

[1] https://www.idc.com/getdoc.jsp?containerId=prUS40846515
[2] https://courses.csail.mit.edu/6.857/2014/files/09-boning-lee-valdez-pebble-smartwatch.pdf
[3] https://developer.pebble.com/legal/

Click here for more details about the conference.

97x147-Yulong-Zhang.jpg

Yulong Zhang

Yulong Zhang is currently working at Baidu conducting research and development into next-generation methodologies to analyse advanced mobile malware, and to design security products to detect and defend mobile threats.

99x137-Tao-Wei.jpg

Lenx (Tao) Wei

Dr. Lenx (Tao) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programming languages, and mobile security.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.