Exploit Millions of Pebble Smartwatches for Fun and Profit

Presented at VB2016, Oct. 7, 2016, 2 p.m. (30 minutes)

In 2015, nearly two million *Pebble* smartwatches were sold, according to *IDC* [[1](#ref1)]. These next-to-skin life/work companions have great implications for privacy and security. Some existing work has already highlighted the security and privacy issues with *Pebble* watches (e.g. [[2](#ref2)]), but none has considered the possibility of a malicious actor fully taking over the watches. To our knowledge, we are the first to describe the root exploits of *Pebble* watches. We will present several zero-day vulnerabilities that we have discovered. We will start by providing an overview of the *Pebble*'s ecosystem and architecture, including its *App Store* mechanism and the hardware/software stack. Lots of details uncovered from reverse engineering will be described. After providing enough background, we will move to our concerns about the security of *Pebble* smartwatches. First, *Pebble* allows anyone (without authenticating who they are) to develop apps in C that can execute natively on the watches. *Pebble* does not perform a security review of the submissions; it relies on the on-watch memory isolation and user-report to defend against malicious apps [[3](#ref3)]. With this design, attackers can still find a way to stealthily distribute malware. Next, we will present the internals of *Pebble*'s kernel, and discuss a zero-day vulnerability discovered by us that can lead to privilege escalation. Local attackers can exploit this issue to root the watches, and can even persistently take full control of the watches. This vulnerability can also generally affect other wearable or embedded platforms. Lastly, we will point out that the security of smartwatches depends on the security of the pairing phones. By exploiting this trust chain, attackers can launch remote attacks to take over the watches. An *Android* zero-day bluetooth vulnerability discovered by us will be used as an example. Several other vulnerabilities due to *Pebble*'s design flaws will be also described. We have responsively disclosed all issues to *Pebble* and other related vendors. The vulnerabilities shown in this paper can generally affect other wearable or embedded platforms. We hope that this talk will kick start a discussion of wearable security, and inspire more and more researchers and vendors to join in the effort of improving wearable security. [1] [2] [3]

Presenters:

• Lenx Wei - Baidu X-Lab
  Lenx (Tao) Wei Dr. Lenx (Tao) Wei is the head of Baidu X-Lab. Prior to joining Baidu, he was an associate professor at Peking University. His research interests include software analysis and system protection, web trust and privacy, programming languages, and mobile security.
• Yulong Zhang - Baidu X-Lab
  Yulong Zhang Yulong Zhang is currently working at Baidu conducting research and development into next-generation methodologies to analyse advanced mobile malware, and to design security products to detect and defend mobile threats.

Links:

• https://www.virusbulletin.com/conference/vb2016/abstracts/exploit-millions-pebble-smartwatches-fun-and-profit

Similar Presentations:

• TROOPERS18 (2018) / Securing your in-ear fitness coach: Challenges in hardening next generation wearables
• ToorCon San Diego 16 (2014) / Smart Watches and the Internet of Blings