Data moving between your smartwatch and phone can be easily stolen

Data moving between your smartwatch and phone can be easily stolen
While we have been getting quite a bit of good news today when it comes to wearables, and specifically the Android 5.0 Lollipop update coming to Android Wear smartwatches, there is also some bad news to pass along. It turns out that the data moving between your smartwatch and smartphone is not secured very well, and can be easily stolen.

The exploit was recently proven by Bitdefender using a Samsung Gear Live and a Google Nexus 4 running a preview version of Android 5.0. The exploit gains access, because Bluetooth's PIN number pairing method is easily overcome by a brute force attack, since there are only one million possible PIN combinations. The hacking tools are easily found, and once the PIN is found through a brute force attack, any data moving between your smartwatch and phone can easily be captured. A lot of the data currently being passed between your wearable and phone is relatively useless, like weather, sports scores, or generic app alerts. But, it also leaves any messaging or calendar event data open to be stolen. 

Android Wear currently relies on your smartwatch co-processor to handle encryption, but that is easily overcome, according to Bitdefender. A change to the way Bluetooth authenticates a pairing connection could help fix the problem, like a move to NFC authentication for Bluetooth pairing, so a brute force attack wouldn't be possible. But, a fix will take time to get sorted out, and your data could be at risk in the meantime. 


FEATURED VIDEO

7 Comments

1. sprockkets

Posts: 1612; Member since: Jan 16, 2012

The problem with this vidoe is this additional later note: "Our research involved analyzing the raw traffic before being sent over the air via the baseband co-processor." Which means they didn't even read the information being sent wirelessly which is encrypted with a key not based on your pin code. BT specs also dictate the key be changed every so often as well. "Android Wear does have a major flaw, because it relays data between your phone and watch in plain text, which is a big problem that Google would do well to fix quickly." This is flat out wrong. Encryption is handled via the BT modules, and is AES-CCM. The test is flawed. Once you are paired up, you can't be hacked so "easily". Read the comments on Ars for your own verification of this.

2. SPASE

Posts: 257; Member since: May 03, 2013

PA needs to do some 101 bluetooth study and stop pasting/passing off others garble. On bluetooth, the pin is not used for the purpose of encryption, it is solely for the INITIAL pairing of the devices, there after a secure encryption key is generated and used till it expires.

3. emvxl

Posts: 139; Member since: Sep 29, 2009

Ah, sensationalism in the news. Wrong it might be, but you get the attention of the audience - 1 or 2 maybe.

5. SPASE

Posts: 257; Member since: May 03, 2013

Lol, how true, got me :)

4. rangoj

Posts: 46; Member since: Mar 29, 2014

Bad attempt to raise panic about the problem that does not exist :)

6. AlikMalix unregistered

I dont understand.. when these hack news come out for Android - it's false this, and overhype that... when it's on iOS - everyone is doomed...

7. manav

Posts: 4; Member since: Dec 10, 2014

they only defended a bit

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.